We need to discuss how we deal with SCOPE with all new CNAs. I do not want a massive number of freelancing types of CNAs.
Scope: All Cloudflare products, projects hosted at https://github.com/cloudflare/
any vulnerabilities discovered by Cloudflare that are not covered by another CNA
This kind of add-on is just not useful from my perspective. The CNAs would use this as an excuse for laziness when they discover a vulnerability in some other product instead
of doing the work required to assure another CNA is not covering it. I propose we focus all CNAs that are vendors to focus on their products only. If they find an issue in another’s product they should report it so the right CNA is located. As described,
it is easier for them to just assign it because doing anything else takes time and resources, thus causing problems for others. Scope needs focus.