Open Source Project Maintainers, Managing security vulnerabilities is currently a significant pain, especially with the recent increase in dubious CVE reports due to AI assistants. The discussion around questionable CVEs reported against projects like dnsmasq, curl highlights a growing concern within the open source community.
One effective way to combat the influx of bogus CVEs and ensure accurate vulnerability reporting is for open source projects to become their own CVE Numbering Authority (CNA). As a CNA, your project gains control over the CVE assignment process. Taking ownership of your project's as a CNA ensures that you are in control of the CVE assignment. There will be some requirements to it, sure thing. Check https://openssf.org/blog/2023/11/27/openssf-introduces-guide-to-becoming-a-cve-numbering-authority-as-an-open-source-project/ If you want to learn more and how it impacted an open source project, reach for the glibc (in the past, a frequent topic here in this mailing list) security community (https://sourceware.org/glibc/security.html) and ask them your questions. If you're interested in learning more about becoming a CNA, Red Hat (along Google, INCIBE, JPCERT/CC, and Thales Group) can help you. Reach [email protected] and we will be happy to help. Best regards; Rodrigo Freire Chief Architect
