The curl project has been accepted as a CVE Numbering Authority (CNA) for vulnerabilities in all products directly made or managed by the project. If I’m counting correctly, we are the 351st CNA.
The official announcement from Mitre states: curl is now a CVE Numbering Authority (CNA) for all products made and managed by the curl project. This includes curl, libcurl, and trurl.
In plain English, this means that we will reserve and manage our own CVEs in the future directly against the CVE database with no middle man, and also that we have a scope for CVEs that is our territory: curl and libcurl. No one else can now register CVEs for our products – without involving us. (There’s an appeals process so someone can still actually file CVEs for issues even if we say no, but at least there’s a process where both sides will argue their points.)
We do not particularly want to be a CNA but we hope that this move will make it harder to file more stupid curl CVEs in the future.
Hi Daniel
Thanks for this information.
Would you consider using the term “intermediary” or similar in place of “middle man”, which sends the wrong impression?
Thanks
Anne
Great! I sincerely hope it won’t drive you crazy if you’re begged for CVE IDs just for random reports from people who want *their* CVE.
@Willy: yeah, it’s a sort of experiment I guess. This is one attempt and we will let this run now for a while and then evaluate the situation and see. Better? Worse? The same? I figure I will produce a status update on this in a year or so…