|
|
Awesome, any word on OpenSSL becoming a traditional CNA?
We (OpenSSL) haven't asked to be one yet. I think it needs a little more thought and consideration because it doesn't really make sense to have every OSS project which releases only a handful of CVE a year have the overhead of being a CNA. It made sense for Apache (since ASF security team is an umbrella, similar to DWF in a way, to hundreds of other projects, each with their own processes and policies and we churn through a lot of CVEs, and where DWF process would actually be more overhead).
So I was planning to hedge our bets, continuing to take OpenSSL issues from the Red Hat CNA pool, and wait a few months to see what makes sense.
Mark