Background:
A
Common Vulnerabilities and Exposures Identifier (CVE-ID) uniquely identifies a single security vulnerability in affected versions of a software product. This is very useful for being able to precisely communicate about and collaborate on vulnerabilities. Are you and I talking about the same open redirect vulnerability? It's clearer if they're uniquely identified.
CVE identifiers are issued by
CVE Numbering Authorities. It's hierarchical, DNS-style or SSL-cert-style, with a root ("primary") authority delegating scoped responsibility to downstream authorities who can delegate scoped authority to downstream authorities who can... Authorities are allocated namespace in the CVE identifier space so that CNAs do not multiply assign a single identifier, and scopes are non-overlapping to reduce assigning multiple identifiers for a single vulnerability.
The
Distributed Weakness Filing (DWF) Project is the catch-all CNA for open source projects not otherwise covered by a CNA. (Major "vendors" such as Apache, Google, Mozilla, Red Hat, Ubuntu are themselves CNAs under the primary authority).
Problem:
Solution:
This worth doing? Apereo would have to marshall some attention and efforts to ongoingly operate this process, to fulfill the rules and to issue our projects CVE-IDs in a timely manner, but it could improve confidence, clarity, consistency, timeliness for the CVE assignment part of responding to security vulnerabilities in Apereo products.
Anyone else have passion for making this happen?
-Andrew