oss-sec mailing list archives
Re: oss-security CNA
From: Josh Bressers <bressers () redhat com>
Date: Mon, 27 Apr 2009 12:56:31 -0400 (EDT)
----- "Mark J Cox" <mjc () redhat com> wrote:
So perhaps the solution is to have the vendor CNAs play more of a role on the oss-security list in allocating and helping with content decisions rather than having to have Mitre monitor the list. Then, each time a CNA gives out a CVE on oss-security they could have some requirement of a mimimum set of information about the allocation they have to provide in the same mail. By having the CNA buffer we'd only have to involve Steve or Mitre when something is complex. However, that would mean Mitre would have to check oss-security list before allocating any CVE names for oss-issues and accept there may be more duplicate allocations.
I've been thinking about this lately, it's likely a good idea. I think having an oss-security CNA that is not MITRE would be useful, and hopefully would alleviate some of the pressure MITRE currently feels. There would of course be collisions from time to time, but that's likely going to still cause less pain than the current model provides. If this idea is appealing to MITRE, we could start working out some of the details. -- JB
Current thread:
- Re: oss-security CNA Josh Bressers (Apr 27)
- Re: oss-security CNA Steven M. Christey (May 06)