New CNA - Cloudflare

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

New CNA - Cloudflare

Evans, Jonathan L.

Greetings,

 

Cloudflare is now a CNA.

 

Scope: All Cloudflare products, projects hosted at https://github.com/cloudflare/ and any vulnerabilities discovered by Cloudflare that are not covered by another CNA

Disclosure Policy location: https://www.cloudflare.com/disclosure/

Advisory locations: https://hackerone.com/cloudflare/hacktivity

Public point of contact: [hidden email]

CNA Type: Vendors and Projects

 

Thanks,

Jonathan Evans

CVE Numbering Authority (CNA) Coordinator

CVE Team

Reply | Threaded
Open this post in threaded view
|

Re: New CNA - Cloudflare

Landfield, Kent

We need to discuss how we deal with SCOPE with all new CNAs. I do not want a massive number of freelancing types of CNAs.

 

Scope: All Cloudflare products, projects hosted at https://github.com/cloudflare/ and any vulnerabilities discovered by Cloudflare that are not covered by another CNA

 

This kind of add-on is just not useful from my perspective. The CNAs would use this as an excuse for laziness when they discover a vulnerability in some other product instead of doing the work required to assure another CNA is not covering it.  I propose we focus all CNAs that are vendors to focus on their products only.  If they find an issue in another’s product they should report it so the right CNA is located. As described, it is easier for them to just assign it because doing anything else takes time and resources, thus causing problems for others.  Scope needs focus.

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

[hidden email]

 

From: <[hidden email]> on behalf of "Evans, Jonathan L." <[hidden email]>
Date: Monday, March 5, 2018 at 10:16 AM
To: cve-editorial-board-list <[hidden email]>
Subject: New CNA - Cloudflare

 

Greetings,

 

Cloudflare is now a CNA.

 

Scope: All Cloudflare products, projects hosted at https://github.com/cloudflare/ and any vulnerabilities discovered by Cloudflare that are not covered by another CNA

Disclosure Policy location: https://www.cloudflare.com/disclosure/

Advisory locations: https://hackerone.com/cloudflare/hacktivity

Public point of contact: [hidden email]

CNA Type: Vendors and Projects

 

Thanks,

Jonathan Evans

CVE Numbering Authority (CNA) Coordinator

CVE Team