Re: How to request a CVE for open source projects

["Perry E. Metzger" <perry () piermont com>]

On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried
<kseifried () redhat com> wrote:
> > Primarily, freeform discussion of the sort that occurred on this
> > list as a natural outcropping of the CVE request process led to
> > people linking to verification code, temporary mitigations,
> > highlighting of incomplete fixes, and the sort of information
> > that was requested earlier in this thread.  This ability to
> > easily chip in to ongoing situations wasn't just useful for mitre
> > staff doing CVE work, it was also useful for the "community of
> > practice" looking for the latest information regarding
> > self-defense.  I've prevented more than one attack thanks to a
> > one-off reply from someone in response to a CVE request.    
>
> You can still do this. oss-security is a list run by Solar Designer
> (openwall.com). I happen to be a long time poster/moderator, but I
> have no official control/etc (I don't even block posts, that's up
> to solar, I just allow stuff or ignore it when it's up for
> moderation).

Maybe after CVEs are assigned the forms could be emailed to the list
as a replacement for the old request emails, to kick off
discussion and alert people to their existence?

Perry
-- 
Perry E. Metzger                perry () piermont com