On 11/5/25 04:30, Peter Gutmann wrote:
Greg KH <[email protected]> writes:
I totally agree that all "major" open source projects should become a CNA,
and strongly recommend taking back control over stuff like this.
The problem is that individuals can't be CNAs…
Another problem for projects with few maintainers and resources is that
it’s lower effort to dispute incorrect CVEs than register as a CNA, at
least while CVE volume is low. This is obviously a worse outcome for
downstream users who may have already started processing and dealing
with the false CVE. I’m not saying this is a good approach, but just
noting this is the way incentives are currently (mis)aligned.
