[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNAs



Awesome, any word on OpenSSL becoming a traditional CNA?

We (OpenSSL) haven't asked to be one yet. I think it needs a little more thought and consideration because it doesn't really make sense to have every OSS project which releases only a handful of CVE a year have the overhead of being a CNA. It made sense for Apache (since ASF security team is an umbrella, similar to DWF in a way, to hundreds of other projects, each with their own processes and policies and we churn through a lot of CVEs, and where DWF process would actually be more overhead).

So I was planning to hedge our bets, continuing to take OpenSSL issues from the Red Hat CNA pool, and wait a few months to see what makes sense.

Mark


Page Last Updated or Reviewed: August 22, 2016