On Thu, 2018-01-25 at 10:17 -0500, Antoine Beaupré wrote: [...] > > OS vendors (RH/SUSE) > > Upstream projects (Xen, Linux etc) > > I believe those already follow the CVE process and eventually converge > over doing the right thing. So I am not really concerned about those > people. [...] Linux has a security contact (firstname.lastname@example.org), but this is only used for reporting bugs and discussing how to fix them; CVE assignments are left to distributions, DWF, etc. Many security fixes don't get discussed there anyway. I would estimate that less than half of security fixes in Linux actually get CVE IDs. Ben. -- Ben Hutchings Unix is many things to many people, but it's never been everything to anybody.
Description: This is a digitally signed message part