Re: How to request a CVE for open source projects

[Kurt Seifried <kseifried () redhat com>]

On 2017-05-22 5:44 PM, Kurt H Maier wrote:
> On Mon, May 22, 2017 at 03:13:42PM -0600, Kurt Seifried wrote:
> > Well actually they can. Why do you think we (DWF) have an extensible Json format with the data hosted in git? Hint: 
> > so people can contribute.
> Is it the opaque Google Docs form that fosters contribution, or the
> gatekept pull-request process requiring a Github account that fosters
> contribution?
Neither, that's part of what I'm figuring out. Most likely it'll look
like a trusted pool of people (aka CVE Mentors) that can either
contribute or more easily gatekeep). Also the doc are out of date and
the process is evolving rapidly so I haven't really bothered updating
them since things keep changing.

> At what point in the DWF process is third-party input expected to occur?

Good question. What exactly is it you want to input? CVE requests? CVE
assignments? Modify existing CVE entries?
> The matter is not addressed in the documentation repository.  Feel free 
> to mail me offlist if the answers would induce excessive cognitive 
> dissonance.
Not really. the docs are out of date and I'm more concerned about
evolving this right now then updating documentation.

> khm

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com