That's exactly right, Greg. If by 'smaller' OSS projects you mean those that are resource-constrained, Red Hat is here to help! As a Root in the CVE Program, we both onboard new OSS projects to become independent CNAs and use our CNA-LR function to fully support those smaller projects (providing ID assignment, publishing, and general program support). Any resource-constrained project can reach out to our team by emailing us at [email protected]
Thanks and regards, Yogesh Mittal Manager, Product Security Vulnerability Management Red Hat Pune <https://www.redhat.com/> [email protected] M: +91-9637123455 <https://www.redhat.com/> On Wed, Nov 5, 2025 at 4:54 AM Greg KH <[email protected]> wrote: > On Tue, Nov 04, 2025 at 08:47:35AM -0300, Rodrigo Freire wrote: > > Open Source Project Maintainers, > > > > Managing security vulnerabilities is currently a significant pain, > > especially with the recent increase in dubious CVE reports due to AI > > assistants. The discussion around questionable CVEs reported against > > projects like dnsmasq, curl highlights a growing concern within the > > open source community. > > > > One effective way to combat the influx of bogus CVEs and ensure > > accurate vulnerability reporting is for open source projects to become > > their own CVE Numbering Authority (CNA). As a CNA, your project gains > > control over the CVE assignment process. > > > > Taking ownership of your project's as a CNA ensures that you are in > > control of the CVE assignment. There will be some requirements to it, > > sure thing. Check > > > https://openssf.org/blog/2023/11/27/openssf-introduces-guide-to-becoming-a-cve-numbering-authority-as-an-open-source-project/ > > I totally agree that all "major" open source projects should become a > CNA, and strongly recommend taking back control over stuff like this. > > But, for "smaller" open source projects, it would be _great_ if a root > CNA could become the default for all of open source so that we don't > have the problem where any CNA can assign CVEs against any random > software without any repercussions. > > thanks, > > greg k-h > >
