On Thu, May 13, 2021 at 10:22:05PM -0700, syzscope sys wrote: > I just found out that Ubuntu is on the CVE CNA list. > Do you think it's possible that Ubuntu could assign the CVEs for those > issues directly instead of asking Google? Once the CVE is assigned, it > should also not only benefit Ubuntu but also other potentially affected > kernels.
Yes, Ubuntu is a CNA -- it's one of my roles. :) I suggested using one of Google's CNAs for a few reasons: - Google has vastly more resources than we do. Doing a decent job of assigning CVEs takes time and effort, and we're already trying to do too much with too few resources. Taking on the essentially unbounded amount of work of "assign CVEs for all syzkaller findings" is simply speaking not a commitment that I can make. - Google's syzkaller and infrastructure is already doing the work to find and publicise the issues; it's quite common for vulnerability discoverers to use their own internal CNA resources for this. I know Canonical, and Ubuntu users, would be better off if someone assigned CVEs to these findings. It's just not something I can commit to doing because of the scale of work involved. Thanks
signature.asc
Description: PGP signature
-- ubuntu-devel mailing list ubuntu-devel@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel
