RFC: Becoming a CNA as an Open Source organization or project #139
Conversation
Signed-off-by: Seth Michael Larson <[email protected]>
sethmlarson
changed the title
…tions Signed-off-by: Seth Michael Larson <[email protected]>
sethmlarson
force-pushed
the
patch-1
branch
from
d0dfc96
to
5e9b9fe
Compare
Signed-off-by: Seth Michael Larson <[email protected]>
sethmlarson
force-pushed
the
patch-1
branch
from
712df29
to
030a91f
Compare
|
|
||
| CVE Numbering Authorities (CNAs) are the entities that can allocate CVE IDs and create corresponding CVE Records within a particular scope (a product, a project or group of affiliated projects, and the like). Becoming a CNA means that your organization will have a defined scope and will be able to create CVE IDs and Records for that defined scope autonomously. | ||
|
|
||
| Below are some of the benefits of becoming a CNA: |
There was a problem hiding this comment.
This text seems to suggest that there are ONLY advantages to becoming a CNA. I don't believe that; everything has its pros and cons.
A short list of contraindicators might be wise. E.g.:
When to not become a CNA
Becoming a CNA adds a new commitment. In particular, don't become a CNA if:
- You don't have the time or knowledge necessary to implement CNA processes. It takes time to become a CNA, and being a CNA implies that you will process and manage vulnerability reports.
- You don't plan to issue CVEs. The whole point of becoming a CNA is to issue CVEs.
You don't necessarily need to become a CNA to issue CVEs on open source software (OSS) projects. Some CNAs already cover many OSS projects, including GitHub and Red Hat. In addition, it's always possible to file for a CVE through the "CNA of last resort" (MITRE at the time of this writing). However, if you find that these general fora don't suit your needs, becoming a CNA may be a useful solution.
There was a problem hiding this comment.
Thanks David, I've added a list that captures your suggestion :)
There was a problem hiding this comment.
Thanks for the added list.
I worry that the list might not be noticed. I strongly urge adding a header before the new list, e.g., "Important Considerations" or something else. That way, people can find that list easily and are more likely to notice it when skimming.
Signed-off-by: Seth Michael Larson <[email protected]>
Signed-off-by: Seth Michael Larson <[email protected]>
| the needs of the project. | ||
| * **Becoming a CNA adds a new commitment.** You must have the time and knowledge necessary to implement CNA processes. | ||
| Being a CNA is an ongoing commitment so your project should have multiple people able to manage the CNA and plans for continuity. | ||
| * **Issuing CVEs is the most important role of a CNA.** If you don't plan on issuing CVEs then becoming a CNA is not necessary. |
There was a problem hiding this comment.
what about "right of refusal", so a project can prevent false CVEs from being issued?
There was a problem hiding this comment.
There is no absolute right-to-refusal being a CNA, you're only guaranteed the first-decision on the report. If the reporter disagrees with the determination they can appeal to your root CNA (usually MITRE or Red Hat) but at that point you're involved in that conversation too. This has a preventative effect because the whole reason false CVEs are being issued at all is root CNAs don't always have the expertise to decide vuln/no vuln so air on the side of caution and issue a CVE ID. With experts involved in the process that can't happen.
There was a problem hiding this comment.
Awesome - that sounds like a very good reason to become a CNA even if you plan on issuing no CVEs, which contradicts this line :-)
Authored from this draft: https://docs.google.com/document/d/1jo5van4ryPDOd0O7njzqyCBDq0NG-Z-sK2v-l9z7R2s
Please hold off on merging this until it can be discussed by the Vuln Disclosures WG and the CVE Outreach and Community WG (meets next Wednesday, Sept 27th).
cc-ing the reviewers on the Google doc draft: @SecurityCRob @kurtseifried @andrewpollock @zmanion @Cyber-JiuJiteria