curl is now a CVE Numbering Authority (CNA) assigning CVE IDs for all for all products made and managed by the curl project. This includes curl, libcurl, and trurl.

https://cve.org/Media/News/item/news/2024/01/16/curl-Added-as-CNA

#CVE #CNA #VulnerabilityManagement #Vulnerability #Cybersecurity

100% agreed that the CVSS scoring system and "assume the worst" guidance makes for scores that do not accurately reflect importance. Especially for very broad-use things.

My take on this is that. like it or not, more open source projects of note need to become "CNA" (certificate numbering authorities) of their own which I understand can given them some control over the content of CVEs filed against their project. https://www.cve.org/ProgramOrganization/CNAs

#cve #cvss #cna #oss