So we now have a failure case, an embargoed set of issues were posted to the distros list, I was not explicitly asked to assign CVE's, but did, and it turns out CERT also assigned CVEs. CERT published first, so I reject'ed mine (
https://github.com/CVEProject/cvelist/pull/314).
This brings up the issue of what do we do when a reporter has an issue(s) and doesn't explicitly ask a CNA for CVEs, but more than one CNA see it, and want to assign a CVE to it because the issues would significantly benefit from CVEs? Most scopes do not overlap, with one glaring exception, "Open Source".
So thoughts/comments? Should we only assign a CVE if asked, and then if not asked default to some sort of notification protocol? Should we simply go with the "first to publish" rule like for public issues? Other options?
--
Kurt Seifried -- Red Hat -- Product Security -- CloudPGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993Red Hat Product Security contact: secalert@redhat.com