Registering as a CVE Numbering Authority?
We should consider registering as a CVE Numbering Authority (CNA) covering the Hubzilla core and the official addons and themes. We could register the Hubzilla project itself, or the Association, depending on how we want to organize. I'm fine with either, really.
There are some advantages to being a CNA, but not really any downsides afaics. The advantages are mainly:
- It will be easier and faster to reserve CVE numbers when we need them. No need to interact with MITRE via email to reserve numbers anymore. It's all done via an API.
- The same for publishing and/or updating the CVE's we have reserved.
- Other people that tries to reserve a CVE for any of our software/scopes, will be directed to us so that we process and accept or reject the submission.
There's also some requirements for us, pretty much stuff we should have ready anyways:
- A public vulnerability disclosure policy
- A public space where we disclose vulnerabilities. This would typically be a section on the project website, but could also be the framagit account.
There's more information about what it entails here:
https://www.cve.org/PartnerInformation/Partner#HowToBecomeAPartnerI came to think about this again because I'm waiting for MITRE to respond to a request again, something that would take half a second if we were a CNA :)
Any thoughts on this?
Btw, I do have experience with this as my previous employer was a CNA, and I was involved in handling and validating vulnerabilities and requests for CVE's for software related to them.#
cve #
vulnerability management
