[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: New CNA - Cloudflare

We need to discuss how we deal with SCOPE with all new CNAs. I do not want a massive number of freelancing types of CNAs.

 

Scope: All Cloudflare products, projects hosted at https://github.com/cloudflare/ and any vulnerabilities discovered by Cloudflare that are not covered by another CNA

 

This kind of add-on is just not useful from my perspective. The CNAs would use this as an excuse for laziness when they discover a vulnerability in some other product instead of doing the work required to assure another CNA is not covering it.  I propose we focus all CNAs that are vendors to focus on their products only.  If they find an issue in another’s product they should report it so the right CNA is located. As described, it is easier for them to just assign it because doing anything else takes time and resources, thus causing problems for others.  Scope needs focus.

 

Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!

-- 

Kent Landfield

+1.817.637.8026

kent_landfield@mcafee.com

 

From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Evans, Jonathan L." <jevans@mitre.org>
Date: Monday, March 5, 2018 at 10:16 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: New CNA - Cloudflare

 

Greetings,

 

Cloudflare is now a CNA.

 

Scope: All Cloudflare products, projects hosted at https://github.com/cloudflare/ and any vulnerabilities discovered by Cloudflare that are not covered by another CNA

Disclosure Policy location: https://www.cloudflare.com/disclosure/

Advisory locations: https://hackerone.com/cloudflare/hacktivity

Public point of contact: cna@cloudflare.com

CNA Type: Vendors and Projects

 

Thanks,

Jonathan Evans

CVE Numbering Authority (CNA) Coordinator

CVE Team

Page Last Updated or Reviewed: March 06, 2018