[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: pulling in other vulnerability databases

On 2018-01-26 00:31:19, Ben Hutchings wrote:
> On Thu, 2018-01-25 at 10:17 -0500, Antoine Beaupré wrote:
> [...]
>> > OS vendors (RH/SUSE)
>> > Upstream projects (Xen, Linux etc)
>> I believe those already follow the CVE process and eventually converge
>> over doing the right thing. So I am not really concerned about those
>> people.
> [...]
> Linux has a security contact (security@kernel.org), but this is only
> used for reporting bugs and discussing how to fix them; CVE assignments
> are left to distributions, DWF, etc.  Many security fixes don't get
> discussed there anyway.
> I would estimate that less than half of security fixes in Linux
> actually get CVE IDs.

Well that's just disturbing. I am not sure, however, that I can
meaningfully change this by ... er... say writing the kernel mailing
lists, unfortunately.

I haven't got a reply from Snyk.io (yet?) by the way. I suspect I may
not get anything at all... Any other ideas as to the next steps in
general here?


May your trails be crooked, winding, lonesome, dangerous, leading to
the most amazing view. May your mountains rise into and above the
                        - Edward Abbey

Reply to: