Security Working Group - OpenBMC working to become a CVE numbering authority (CNA)
Joseph Reynolds
jrey at linux.ibm.com
Thu Nov 11 07:41:22 AEDT 2021
On 11/10/21 2:35 PM, Joseph Reynolds wrote:
> On 11/10/21 8:38 AM, Joseph Reynolds wrote:
>> This is a reminder of the OpenBMC Security Working Group meeting
>> scheduled for this Wednesday November 10 at 10:00am PDT.
>>
>> We'll discuss the following items on the agenda
>> <https://docs.google.com/document/d/1b7x9BaxsfcukQDqbvZsU2ehMq4xoJRQvLxxsDUWmAOI>,
>> and anything else that comes up:
>>
>
> Attended: Joseph, Bruce, Vernon, James, Caci, Jiang, Dick, Ratan,
> Dhananjay
>
>
> Agenda items discussed:
...snip...
> 2 Should OpenBMC become a CVE Numbering Authority (CNA).
>
> Ref: https://www.cve.org/ResourcesSupport/AllResources/CNARules
> <https://www.cve.org/ResourcesSupport/AllResources/CNARules>
>
> This would better integrate the CVE process with github.
>
> OpenBMC looked into become a CNA years ago. See the old review:
> https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621
> <https://gerrit.openbmc-project.xyz/c/openbmc/docs/+/15621>
>
> Is it worthwhile for openBMC to become a CNA? Yes, we have had
> multiple CVEs per year and believe this will continue. We have filled
> out the form (at cve.mitre.org) to create CVEs and have become
> familiar with writing CVE language.
>
> We agreed to pursue becoming a CNA. No objections. James will follow
> up.
The OpenBMC security response team is working to become a CVE Numbering
Authority (CNA).
More information about the openbmc
mailing list