Inside a CVE dispute: How the curl project handles vulnerability assignments as a CNA
By
https://daniel.haxx.se/blog/author/daniel/
Summary
The curl project, which operates as a CVE Numbering Authority (CNA), discusses a dispute over a CVE assignment. The author explains how being a CNA allows the curl team to self-assign CVEs for security issues in their territory, avoiding bogus external CVEs. They detail their process of handling 57 CVEs over the years and describe a specific dispute where an external party disagreed with their decision not to assign a CVE to a particular issue. The article explores the tensions between CNA autonomy and external pressure, the philosophy of vulnerability disclosure, and the responsibilities that come with being a CNA.
Source
bskyInside a CVE dispute: How the curl project handles vulnerability assignments as a CNAdaniel.haxx.seKey quotes
· 4 pulledThis means that we are masters of and can allocate our own CVE identifiers.
For any security problems within our territory, it is we who decides if the issue should get a CVE or not. No more bogus CVEs.
Getting a CVE for an issue is easy and really quickly done when you are a CNA.
No hassle, no friction and as we are a small and lean security team it just works as smoothly as you could ask.
You might also wanna read
25-Year-Old curl Vulnerability (CVE-2026-8932) Patched in Record 18-CVE Security Release
A critical 25-year-old security vulnerability (CVE-2026-8932) in curl, dating back to version 7.7 from March 2001, has been patched as part
cybersecuritynews.com·12d ago
High severity vulnerability found in libcurl and curl (CVE-2023-38545)
Linux's Role as CNA: Managing Kernel Security Vulnerabilities and CVE Tracking
The article discusses Linux's transition to becoming a CNA (Certificate Numbering Authority) for the Linux kernel, making the kernel.org com
AI Security Tools Find 50 Real Bugs in cURL Open-Source Project
A security researcher successfully used AI-based static application security testing (SAST) tools to identify 50 real bugs in the widely-use
curl Open Source Project Security Reporting Policy
The curl open source project outlines its security reporting policy, stating that it accepts security reports for problems found in its prod
Understanding the Linux Kernel Security Process and CVE Release Workflow
This article explains the Linux kernel security process and CVE (Common Vulnerabilities and Exposures) release process. The author, who has

Comments
Sign in to join the conversation.
No comments yet. Be the first.