Application to become a CVE Numbering Authority (CNA)
Joseph Reynolds
jrey at linux.vnet.ibm.com
Sat Dec 1 03:32:36 AEDT 2018
The OpenBMC Security Working group is working toward becoming a CVE
Numbering Authority (CNA)[1] as the way to share security
vulnerabilities. Our draft application is in Gerrit review 15621[2].
It talks about the exact boundary between OpenBMC and closely related
code such as Yocto, OpenEmbedded, and support for various machines and
boards. It also addresses how to handle forked versions of OpenBMC. I
am seeking input especially in these areas.
This initiative is an add-on piece that would be handled by the "OpenBMC
security vulnerability reporting process"[3].
Please review.
Thanks,
Joseph
[1]: https://cve.mitre.org/cve/ "CVE / CNA"
[2]: https://gerrit.openbmc-project.xyz/#/c/15621 "draft CNA
application"
then click on cna-request.md
[3]:
https://github.com/openbmc/docs/blob/master/security/obmc-security-response-team.md
"OpenBMC security vulnerability reporting process"
More information about the openbmc
mailing list