I'm with @gregkh on this: all Open Source projects should become CNAs.
Or team up with others to do it.
@bagder @gregkh I disagree with the second alternative.
For small projects, this would, just like current CNAs, incur a significant coordination and time overhead.
For the small project I maintain, I currently flat out refuse to take part in that security theater, because CNA websites tells me I would need to potentially wait days to receive a CVE number. That would delay publishing security fixes by multiple orders of magnitude.
It must not take longer than 1 second to allocate a CVE number.
@gregkh @manx @bagder It's a simple API call, sure, but it has to be done *by* the CNA, which is not something that's, for now, easy to automate or "make fast".
If open source projects can be their own CNAs, or if a process allows a project of a certain size to become a CNA, the process can be abstracted, generalized, and automated somehow.
Many projects already have their own "security inquiry contact form" that can be used before a CVE is published. Not the same process, but it helps a bit.
@pierstoval @gregkh @manx @bagder
Automated? Oh god no, please no. There needs to be a human filter or we will be flooded with nonsense CVEs. This is already a problem, but it will get infinitely worse if 'everyone' can just spam numbers and pretend to be a security researcher.
Actual security researchers have their ways to get CVEs. The FOSS world has GitHub, which is also a CNA and makes it really easy to get a CVE. We of cause need an alternative to GitHub, but for more than one reason.
