Olle E. Johansson <[email protected]> writes: >I think there are very few one person projects that have knowledge, time and >resources to operate a CNA.
This isn't one person trying to run a CNA for something like Apache, it's one person running a CNA for Bob's Text Editor, which gets seven proposed CVEs a year of which six are AI slop and the seventh is an airtight-hatchway "vulnerability". It's a means of dealing with AI slop and bogus CVEs for small projects as per a much earlier portion of the discussion. Just for reference the response I got at the time, triggered by some random CNA issuing a bogus CVE that I didn't find out about until weeks later, was: Unfortunately, Individuals are not eligible to become a CNA. If your project is hosted on GitHub, consider using the GitHub CNA. So that would in theory be one way to do it, but since its main purpose is dealing with a flood of AI slop I'm not sure that moving to having the GitHub CNA flooded with it is the right way to do it. The goalposts have shifted a lot since the CNA model was originally set up, for many projects the main issue is dealing with AI slop, not dealing with vulns. Peter.
