On Thu, May 17, 2012 at 2:02 PM, Daniel Shahaf <d...@daniel.shahaf.name> wrote: >... > CVE are meant to be a unique identifier to an issue so I think it's > a (minor?) problem if different downstreamers requests CVE's > independently. >... > IOW, "Should we be trigger-happy or conservative on requesting CVE > identifiers?".
I think we can be conservative on this. We track things using issues, version control, and mailing lists. The CVE doesn't really help *us*. If we believe that a downstream user is going to want/need some fancy footwork around a security problem, then I think we generate a CVE (for their tracking) and begin the private disclosure process. Security team: does this sound like a reasonable approach? Cheers, -g
