Hi On Thu, Jan 02, 2020 at 06:57:39PM +1100, Dmitry Smirnov wrote: > On Thursday, 2 January 2020 6:20:23 PM AEDT Salvatore Bonaccorso wrote: > > The good thing on having a CVE id for the vulnerabilities is helping > > other vendors to track the issues properly 'cross-vendor' in an unique > > way. If every upstream would use individual identifiers to track their > > vulnerabilities, this makes the work of downsteams security teams much > > harder. Nowdays MITRE has improved a lot on their processes on > > assigning CVEs, and good filled reports at https://cveform.mitre.org/ > > get fastly assigned a CVE respectively (this somehow depends though on > > how good the report is done). I know some upstreams did in past make > > frustrating experiations, and do not want to try that out again. > > Thank you so much, that is exactly what I've been looking for. > I'll pass that to upstream. > > It would be great to add your explanation to "Debian Upstream Guide" for easy > reference: > > https://wiki.debian.org/UpstreamGuide
Ah I see there was already a mentioning of requesting CVEs *but* it was pointing to a not anymore available site of poeple.redhat.com, I updated the reference to https://github.com/RedHatProductSecurity/CVE-HOWTO (and furthermore asked there to not mention anymore DWF for assigning CVEs as well, siee https://github.com/RedHatProductSecurity/CVE-HOWTO/issues/5). Regards, Salvatore