* Pete Allor: > I do agree with Greg K-H that open source projects should become CNAs. > But do want to note that missing elements of the CVE when submitting > allows CISA-ADP to 'vulnrich' your data. Here is where > misinterpretation and/or lack of understanding by CISA confuses > downstream users and once you gain that 'critical' stigma in the > system, you have to be persistent to get that changed. > > Is that a problem? I think so and so do a number of PSIRTs so now we > have to contend with CISA-ADP and NVD to adjust their scores when the > CNA is 'the authoritative source' within the CVE Program.
The larger problem is that component scoring tends to be higher than whole-system scoring. If a security component fails in its security function, it certainly deserves an impact rating that reflects that it's totally broken due to the vulnerability. But if this component is integrated into a larger system, impact is often lower and might even be insignificant due to the way the component is used. The current system does not really reflect that. One way to deal with it could be to treat everything as a fork, but not to decouple from upstream changes, but to make it clear that the upstream impact ratings do not apply. Thanks, Florian
