Linux is a CNA

As was recently announced, the Linux kernel project has been accepted as a CNA as a CVE Numbering Authority (CNA) for vulnerabilities found in Linux.

This is a trend, of more open source projects taking over the haphazard assignments of CVEs against their project by becoming a CNA so that no other group can assign CVEs without their involvment. Here’s the curl project doing much the same thing for the same reasons. I’d like to point out the great work that the Python project has done in supporting this effort, and the OpenSSF project also encouraging it and providing documentation and help for open source projects to accomplish this. I’d also like to thank the group and board as they all made the application process very smooth for us and provided loads of help in making this all possible.

As many of you all know, I have talked a lot about CVEs in the past, and yes, I think the system overall is broken in many ways, but this change is a way for us to take more responsibility for this, and hopefully make the process better over time. It’s also work that it looks like all open source projects might be mandated to do with the recent rules and laws being enacted in different parts of the world, so having this in place with the kernel will allow us to notify all sorts of different CNA-like organizations if needed in the future.

For more details about how this is all going to work for the kernel, please see this documentation addition. The process might be a bit different than other CNAs work, but for the most part, that’s because the kernel lives at a different layer than most other software projects, and our user base is one of the widest and most varied compared to almost all other software projects (curl being of course the exception, that project is everywhere!)

You can find all of our allocated CVEs on this mailing list, and subscribe to it if you want to get them all in your inbox automatically. A git repo of them can be found here, but note, the structure of the repo will change over time as we learn and manage the process better over time, so don’t count on anything being set in stone in the git tree for a while.

I’ll write more in the future once the process is up and working and assigning CVEs in a smooth fashion. This announcement is just the first step, allowing us to be the manager of the CVE allocation process for Linux.

Update: the first and second versions of the documentation patch was wrong, it was an old one and had some mistakes based on review from many different parties. See here for the third version that should address the reported issues.