[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pulling in other vulnerability databases

On Thu, 2018-01-25 at 10:17 -0500, Antoine Beaupré wrote:
> > OS vendors (RH/SUSE)
> > Upstream projects (Xen, Linux etc)
> I believe those already follow the CVE process and eventually converge
> over doing the right thing. So I am not really concerned about those
> people.

Linux has a security contact (security@kernel.org), but this is only
used for reporting bugs and discussing how to fix them; CVE assignments
are left to distributions, DWF, etc.  Many security fixes don't get
discussed there anyway.

I would estimate that less than half of security fixes in Linux
actually get CVE IDs.


Ben Hutchings
Unix is many things to many people,
but it's never been everything to anybody.

Attachment: signature.asc
Description: This is a digitally signed message part

Reply to: