Hi! I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That means that we will be assigning our own CVEs from now on. The process in broad strokes works like this:
1. We request a block of numbers 2. When we have security bug, we use one of the numbers in the block 3. We create CVE descriptions and commit them to the cvelist repo Much more detailed documentation on how it is done is here: https://wiki.php.net/cve So far I am the only one who is registered to commit CVE descriptions to MITRE upstream repo, but if somebody wants to do it too, I'm sure it can be arranged. Note that you can assign CVE to a bug not yet fixed or published in the open. Please use this capability responsibly and keep the tracking in https://wiki.php.net/cve . If you are not familiar with the process or don't want to bother, just put "needed" as CVE number and it will be taken care of. Please not enter the bug details into the public repo before the fix is released. If you have any questions about this, please ask me. -- Stas Malyshev smalys...@gmail.com -- PHP Internals - PHP Runtime Development Mailing List To unsubscribe, visit: http://www.php.net/unsub.php