Application to become a CVE Numbering Authority (CNA)

Joseph Reynolds jrey at
Sat Dec 1 03:32:36 AEDT 2018

The OpenBMC Security Working group is working toward becoming a CVE 
Numbering Authority (CNA)[1] as the way to share security 
vulnerabilities.  Our draft application is in Gerrit review 15621[2].  
It talks about the exact boundary between OpenBMC and closely related 
code such as Yocto, OpenEmbedded, and support for various machines and 
boards.  It also addresses how to handle forked versions of OpenBMC. I 
am seeking input especially in these areas.

This initiative is an add-on piece that would be handled by the "OpenBMC 
security vulnerability reporting process"[3].

Please review.


[1]: "CVE / CNA"

[2]: "draft CNA 
then click on

"OpenBMC security vulnerability reporting process"

More information about the openbmc mailing list