All Topics
All Topics
Technology
Technology
AI
AI
Business
Business
Entertainment
Entertainment
News
News
Programming
Programming
Science
Science
Design
Design
Environment
Environment
Finance
Finance
Crypto
Crypto
Politics
Politics
Sports
Sports
Education
Education
Gaming
Gaming
Art
Art
Music
Music
Health
Health
Security
Security
Books
Books
Food
Food
Travel
Travel
Personal
Personal
Bluesky
Twitter

Inside a CVE dispute: How the curl project handles vulnerability assignments as a CNA

By

https://daniel.haxx.se/blog/author/daniel/

10d ago· 7 min readenInsight

Summary

The curl project, which operates as a CVE Numbering Authority (CNA), discusses a dispute over a CVE assignment. The author explains how being a CNA allows the curl team to self-assign CVEs for security issues in their territory, avoiding bogus external CVEs. They detail their process of handling 57 CVEs over the years and describe a specific dispute where an external party disagreed with their decision not to assign a CVE to a particular issue. The article explores the tensions between CNA autonomy and external pressure, the philosophy of vulnerability disclosure, and the responsibilities that come with being a CNA.

Source

bskyInside a CVE dispute: How the curl project handles vulnerability assignments as a CNAdaniel.haxx.se

Key quotes

· 4 pulled
This means that we are masters of and can allocate our own CVE identifiers.
For any security problems within our territory, it is we who decides if the issue should get a CVE or not. No more bogus CVEs.
Getting a CVE for an issue is easy and really quickly done when you are a CNA.
No hassle, no friction and as we are a small and lean security team it just works as smoothly as you could ask.
Snippet from the RSS feed
A few years years ago the curl project signed up and became a CNA. This means that we are masters of and can allocate our own CVE identifiers. For any security problems within our territory, it is we who decides if the issue should get a CVE or not. No mo

You might also wanna read

Comments

Sign in to join the conversation.

No comments yet. Be the first.