curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.

cve.org/Media/News/item/news/2…

#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity

100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.

My take on this is that. like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. cve.org/ProgramOrganization/CN…

#cve #cvss #cna #oss