I'm with @gregkh on this: all Open Source projects should become CNAs.

Or team up with others to do it.

@bagder @gregkh "CNA" in this context stand for?

@tante @gregkh CVE Numbering Authority: https://www.cve.org/programorganization/cnas

@bagder @gregkh thank you!

@bagder @gregkh Agreed, I think the easiest way to get a large amount of coverage for small projects would be if GitHub allowed "scoping" projects through their GHSA program.

I should probably write a blog post about what being a CNA using GHSA looks like.

@bagder @gregkh in addition to that, the CVE program should become more independent of CISA. Either by securing independent funding for MITRE or handing it over to some transnational organisation (maybe at the UN).

@bagder @gregkh sign me up. Looks like the OpenLDAP Project needs to team up here.

@bagder @gregkh I disagree with the second alternative.
For small projects, this would, just like current CNAs, incur a significant coordination and time overhead.
For the small project I maintain, I currently flat out refuse to take part in that security theater, because CNA websites tells me I would need to potentially wait days to receive a CVE number. That would delay publishing security fixes by multiple orders of magnitude.
It must not take longer than 1 second to allocate a CVE number.

@manx @gregkh good news: it takes no longer than a second to get a CVE as a CNA. In fact, you need to be a CNA to get it that fast as then you can just request one yourself.

@manx @bagder It does not take longer than that, it's a "simple" api call (i.e. a scripted curl command) that any CNA can do to get a CVE number, and you can allocate any amount at once (within reason, CNAs have a max they are allowed to request and "hold" without assigning at any point in time, usually around 500 or so.)

@bagder @gregkh Sure, I assumed that much.
But becoming and maintaining to be a CNA also just screams "waste of time", just as requesting CVE numbers from other CNAs does.
All this bureaucratic overhead just to allocate a unique identifiers for security vulnerabilities.
For a small project with just 2 developers, none of this makes any reasonable sense.
If the process of becoming a CNA would be simpler, i.e. trivial, things would look different.

@manx @bagder There is no work involved in "maintaining" a CNA, other than actually doing the normal work of being a CNA by assigning CVEs to your project when needed.
Yes, it takes a small bit of time to become a CNA, but it's really painless and it involves a small amount of homework to show that you know how the process works, which is a good thing for everyone involved. Once completed, being a CNA is trivial.

But if you don't want to be one, fine, just hit up a CNA that can give you a CVE id if needed for your project (Red Hat and Github do this for open source projects), but then you are at the mercy of their workloads, not yours. It all depends on who you wish to depend on, someone else, or yourself :)

@manx @gregkh becoming a CNA really is a very easy and low effort process. Being a CNA is similarly not complicated - I would actually argue that it is less work to be a CNA than to *not* be one, if you ever do a CVE.

But hey, no one forces you to become a CNA. It's your choice!

@manx @bagder @gregkh tbh the whole thing is just MIC nonsense, if you want the bug to be uniquely identified just use a random string.

@gregkh @manx @bagder It's a simple API call, sure, but it has to be done *by* the CNA, which is not something that's, for now, easy to automate or "make fast".

If open source projects can be their own CNAs, or if a process allows a project of a certain size to become a CNA, the process can be abstracted, generalized, and automated somehow.

Many projects already have their own "security inquiry contact form" that can be used before a CVE is published. Not the same process, but it helps a bit.

@pierstoval @gregkh @manx @bagder

Automated? Oh god no, please no. There needs to be a human filter or we will be flooded with nonsense CVEs. This is already a problem, but it will get infinitely worse if 'everyone' can just spam numbers and pretend to be a security researcher.

Actual security researchers have their ways to get CVEs. The FOSS world has GitHub, which is also a CNA and makes it really easy to get a CVE. We of cause need an alternative to GitHub, but for more than one reason.

@defnull @gregkh @manx @bagder I should have explained myself when I said "automated", indeed: I'm not talking about 100% automated. I'm talking about "The people that can generate the CVE number is easier to contact, and they have tools that allow them to create the number in one click when they have validated the need".

It's just that, if there is only one "big entity" to create these numbers, this might introduce some inertia in how to validate the actual CVE.

@defnull @gregkh @manx @bagder Projects being their own CNAs would have the advantage of being composed of people that are "directly connected", both technically, but also in terms of community, as well as in tooling, to their project's ecosystem.

Today, emitting a security inquiry needs more than "just contacting the project's core team", that's the inertia.

And as said above: that's why some projects have their own "security contact", to fix the issue quicker, even if there's no CVE behind.

@pierstoval @defnull @gregkh @manx getting more Open Source and clueful people involved in the CVE process also benefits the program and ecosystem overall as we would increase the number of "good people" in all related conversations.

Of course, that's then no longer simple and easy but I can tell you that @gregkh and I have climbed a few barricades already in that context and I like to say it has made some small improvements. Maybe more to come.

@bagder @defnull @gregkh @manx I can't imagine how it's gonna be in the future!

We could imagine CVE referees on projects like the linux kernel, but smaller ones for things like php, go, rust or java, and frameworks with bigger teams like symfony, laravel, react, or popular CMSes, and so one.

I think that would help a lot in qualifying security issues quicker, especially if it's all about using the currently-somehow-centralized CVE system.

@pierstoval @gregkh @manx @bagder

The GitHub Security Advisory model is an almost perfect solution in my book. A platform where anyone can open private issues only visible to the project maintainers, provide context, work with the maintainers on a solution, draft a public CVE text and score, and at some point the project maintainers can press a button, some human looks at it, and you get your CVE within a day or two.

The only issue is GitHub. We need this, but run by a trustworthy party.

@pierstoval @gregkh @manx @bagder

It would of cause be nice if projects could self-host all that. But the "human looks at it" part should be done by an independent party, not by the reporter nor by the project maintainers. The decision to create a CVE should be the result of an independent review by a human. So we still need independent CNAs that are run by professionals, preferably more than one but still not 'everyone'.

@defnull @gregkh @manx @bagder And if projects could self-host that, it would be great that such system could be open-sourced, so that the only "requirement" to be able to become a CNA would be a valid integration with the current CVE system. Like anyone could self-host and become a CNA, but the only "valid" CNAs would be the one internally connected to the CVE system (token, oauth, whatever stuff that you cannot do automatically, and need to register for).
Any project could do it, if legit

@defnull @gregkh @manx @bagder This way, such system could be integrated with Github, Gitlab, ForgeJo, or anything, and have their own private space for the submitter, accessible only for the project maintainers, and when everything is "ready to be CVE-ed", send this by one click to the "centralized CVE validation system" so that, in one click after having reviewed everything, they can just say "Ok, let's publish a CVE for this issue", etc.

That's the "automated" part I was talking about.

@pierstoval @defnull @manx @bagder Um, we have that today, with the CVE infrastructure. Any open source project can become a CNA now, and once that is done, they have access to do everything you are asking for.

There is always going to be a "hurdle" of signing up to get that token/oath/whatever, which is what the process is for in becoming a CNA (proof you know how to issue a cve properly, using the tools). So no matter who "hosts" this thing, it's going to be the same.

Try it yourself and see!

@pierstoval @defnull @manx @bagder Again, we have that today, there is a "one click submission to assign a CVE web form" that a CNA can use (and many do.)

So I really don't understand what you are wanting to see created that isn't already here for you to use today.

@gregkh
Oh, I probably misinterpreted everything! I thought this kind of system was already missing/lacking, because I don't see many projects that are a CNA themselves that could help in the CVE publication process 😅

@gregkh @defnull @bagder @pierstoval The gatekeeping of being a blessed CNA is the problem here. If it would be so trivial as you want to make it sound, it should not exist at all, and that form should just be freely accessible.
Looking at the various documents of how to become a CNA, this is at least a day worth of work. That's WAY too much for a spare-time project.

@manx @defnull @bagder @pierstoval There will always be something that has to be a "gatekeeper" to get access so that you can assign identifiers, otherwise the system is useless and will be flooded with junk.

There are other alternatives to CVE, if you don't want to go through the "hoops" that cve.org puts up, but all of those alternatives also require a basic "here's how you work with our system and let's verify you are a real person/group to be using it", which all amount to pretty much the identical effort involved.

So it's fun to wish for free ponies, but someone has to be responsible for taking care of it :)

@pierstoval @gregkh @manx @bagder

But you do not need to be your own CNA to do all that, you just need to send the final result of that discussion to any CNA you trust for review, once you are sure that there is really an issue. All the discussion before that does not need a CVE number, because it is deliberately not discussed in public. Getting a CVE is the very last step, not the first.

@manx @defnull @bagder @pierstoval If there are steps involved that you feel are unneeded or "too much effort", let them know, they are responsive to making this process easy to work with.

Personally, I didn't find it took that long at all.

@gregkh @defnull @bagder @pierstoval I do not think the gatekeeping is useful.
Just make the identifiers anchored in some existing established system (like domain names, verified via https URLs, cve://example.com/ABCDEF12345678), and any CNA that is happy to verify an issued CVE is free to do so and put information it deems useful into a DB indexed by the CVE), in parallel to effort required to handle the issue at hand by the actual maintainers, instead of front-of-line blocking everything.

@gregkh @defnull @bagder @pierstoval Should current CNAs not be able to handle the additional work compared to what they handle now, the current system is already broken.

@manx @gregkh @defnull @pierstoval every system has a certain amount of breakage, and different such depending who you ask. I doubt anyone would claim that the CVE system is not full of problems and things to improve. But sitting on the outside complaining about those flaws probably has less effect than being part of it and trying to improve from the inside. I believe.

I think we need global vulnerability identifiers and right now CVE is the best such system we have.

@manx @gregkh @bagder @pierstoval

The gatekeeping is what keeps the CVE system somewhat usable. Without independent human review by professionals, what's left? An endless stream of numbers with no meaning, because all the attached metadata is no longer trustworthy at all.

If it's too easy to become a CNA, I guarantee you that within a week some AI company will push out thousands of slop CVEs without speaking to the maintainers first and then pretend to be relevant because of big numbers.

@bagder @gregkh @defnull @pierstoval I did actually suggest a constructive solution instead of just complaining.
I have yet to see a valid argument defending the gatekeeping against my solution.

@manx @bagder @defnull @pierstoval Your proposal seems to match what is currently available to you by asking for a CVE id from the existing CNAs that offer them (red hat and github). You always need a person involved in the process, and those two CNAs are giving you their time and resources to do this for you, for free. If you don't want the delay involved in using that resource, then again, you can spend a bit of your own resources (i.e. time, one time) to become a CNA so that you don't have to rely on others in the future.

Any system of "global identifiers" is going to do the same exact thing, this isn't unique to cve.org at all. It's just that cve.org actually allows you to take ownership of your own destiny, instead of being forced to rely on others, if you so desire.

@manx @bagder @gregkh @pierstoval

If I understand your correctly, you propose that anyone can create URL-based CVE 'numbers' and CNAs may review those and add them to an 'official' DB if deemed useful?

How is that different from just publishing an issue, blog post or release note and use the URL as an identifier to talk about it, until a security researcher, CERT or CNA picks it up and creates a CVE?

A CVE that is not reviewed and included in an official database is just a number.

@gregkh @defnull @bagder @pierstoval See, Red Hat or whoever can continue to do just the same thing as they currently do, with all the gatekeeping and delays they want.
Instead of making me wait on the holy identifier they throw at me AFTER they have done their work, I would provide them an identifier which they can use to do their work, in whatever time they need.

@defnull @bagder @gregkh @pierstoval Then the blessed CVE identifier is not referenced from the release that fixes it.
Currently, I can only reference official identifiers if I actively wait for them, thereby delaying the release of important security fixes, and this is IMHO not acceptable.

@manx @gregkh @bagder @pierstoval

But why do you need to wait for a CVE?

They exist to reference and discuss publicly known issues. They have no use if they are not in the CVE database, and they should only be in there after a review to avoid spam/slop.

In the draft phase, just use internal IDs (GitHub uses GHSA-* strings) and once the CVE exist, you can link those two together.

@manx @bagder @gregkh @pierstoval

You do not need a CVE to release a fix. It's the other way around, the CVE contains metadata which release fixes the issue. This metadata can be added later if the CVE exists before the fix. CVEs can be updated.

@defnull @bagder @gregkh @pierstoval But then it's just theater after the fact. There is no need to demand this work from each project. Everybody, any CNA, also just you personally, can do that. If your response is "but that's work!", then we have a problem right here. For you it's work, but for you it is apparently also fine to demand that work from every maintainer. It is my time the security community demands here, and I have seen little effort to make that work easier and more efficient.
...

@defnull @bagder @gregkh @pierstoval ...
The reason why I want to mention CVEs in the release notes is that, in my experience, the security community does not take releases without CVEs as serious as releases with CVEs, even when they get assigned CVEs afterwards. The security community appears to trust CNAs and CVEs more than project maintainers, which I consider problematic, and frankly also rude towards me or any other maintainer.
...

@defnull @bagder @gregkh @pierstoval ...
Now, I am aware of the problem of non-cooperating maintainers who refuse to acknowledge issues as security issues, and I agree that a third party should be involved in assessing the severity, however I refuse to accept that dealing with bad actors should increase the work for everyone else, especially if the mechanisms are not even effectively addressing the problem. That's the wrong tradeoff to make in my opinion.
...

@defnull @bagder @gregkh @pierstoval ...
In the past, we have also had exceptionally bad experiences with CVEs getting issued for our project. I do not know which CNAs where responsible for that, but every single CVE issued for our project was issued without contacting the project maintainers at all, neither from the CNA, nor from whoever requested the CVE.
...

@defnull @bagder @gregkh @pierstoval ...
The information and severity scores contained in these CVEs are about as random and inaccurate as one would expect when nobody ever talked to us. If CNAs are vetted for competence in order to generate trust, the system has already failed miserably. If they are not vetted, it's just gatekeeping theater nonsense.