On Sun, Apr 28, 2019 at 11:51 PM Stanislav Malyshev <smalys...@gmail.com> wrote:
> I have set up PHP as CNA (CVE Identifiers authority) with MITRE. That > means that we will be assigning our own CVEs from now on. The process in > broad strokes works like this: > > 1. We request a block of numbers > 2. When we have security bug, we use one of the numbers in the block > 3. We create CVE descriptions and commit them to the cvelist repo > > Much more detailed documentation on how it is done is here: > https://wiki.php.net/cve > > So far I am the only one who is registered to commit CVE descriptions to > MITRE upstream repo, but if somebody wants to do it too, I'm sure it can > be arranged. > Note that you can assign CVE to a bug not yet fixed or published in the > open. Please use this capability responsibly and keep the tracking in > https://wiki.php.net/cve . If you are not familiar with the process or > don't want to bother, just put "needed" as CVE number and it will be > taken care of. Please not enter the bug details into the public repo > before the fix is released. > Thank you, Stas, for arranging this autonomy. We should probably have at least three MITRE committers, to raise our bus factor. Phar's had a rash of secbugs lately, so I can participate as part of the phar remediation workflow, though I'd be quite happy to defer to anyone else.