undefined | Better HN

0 pointsmike_d2y ago0 comments

Answering your original question to posted to me a bit down thread with this important context. The answer to "why not issue a CVE?" is the same reason that you don't call every random car burglary or graffiti an act of terrorism.

While I agree the whole Linux CVE thing is a bit overblown, but as an outside observer the new policy [1] does not read like they are super happy with CVE in general.

Too bad the CFP is closed for VulnCon, it might be fun to do a "Assume everything is wrong and you can't do anything the way you do it now - how do you build CVE 2.0" (also that title is too long).

1. https://lwn.net/ml/linux-kernel/2024021314-unwelcome-shrill-...

0 comments

MZMegaZone2y ago

We got around 150 submissions for 30ish panel slots over three days, so we're good there. Schedule should be out soon.

The CVE program has grown and changed a lot the past few years, and the rules are undergoing a major revision right now (comment period currently) taking in a lot of the feedback. And the rate of CNAs joining has been picking up rapidly as global interest in the program has increased.

No one thinks it is perfect, but that's why a lot of us are active in the working groups and trying to keep moving things forward.

j / k navigate · click thread line to collapse