Question about dual source vendors

[Kurt Seifried <kseifried@redhat.com>]

So increasingly we have "dual source" vendors, that is vendors with everything from fully OSI Open Source to completely closed source. Basically any large commercial vendor already (Microsoft, Oracle, etc.) and a growing number of others (witness the proliferation of GitHub projects). 

I am talking to one that is not a CNA, and they want to do CVEs for both their Open Source, and their closed source. But there is no easy way to do this currently other than ask cve-assign@mitre.org directly (and it seems after they read the https://cve.mitre.org/cve/data_sources_product_coverage.html document they were under the impression cve-assign@mitre.org could NOT do it). 

I would like to propose that for vendors where Open Source is a major part of what they ship, or the core of their commercial; product that the DWF be able to take them under it's wing as it were.

One hypothetical example that fits into this model would be a company like Ansible (let's ignore the fact that Red Hat acquired it and as such Ansible falls under the Red Hat CNA), Ansible currently has "ansible" which is the Open Source core, and Ansible tower which is a currently closed source management/dashboard. I think in a case like this it makes sense to have a company like Ansible be a CNA under the DWF for both the Open Source parts and the closed source parts. 

Thought/comments?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com