-
-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
CNA scope conflict improvement #6612
base: master
Are you sure you want to change the base?
Conversation
Disagree. We still handled it by coordinating with the other CNA, we just didn't assign it ourselves. This exists because we need maintainers not to go run off themselves and have CVEs assigned. |
@@ -101,7 +101,7 @@ The following is a rough approximation of the typical recommended lifecycle of a | |||
.. The security team provides a private repository for that work in the `jenkinsci-cert` GitHub organization. | |||
.. Work usually happens on a branch, and a corresponding pull request will be used for review. | |||
. A *date and time of the release is coordinated* between the security team and maintainers. | |||
The security team handles CVE ID assignment, advance notification of users, and creation of the security advisory. | |||
The security team handles CVE ID assignment (in cases where there is no CNA scope conflict), advance notification of users, and creation of the security advisory. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We still handled it by coordinating with the other CNA, we just didn't assign it ourselves.
Do you prefer an approach like this one ,or do you think it should not be mentioned?
The security team handles CVE ID assignment (in cases where there is no CNA scope conflict), advance notification of users, and creation of the security advisory. | |
The security team handles CVE ID assignment (assignment may require coordination with another CNA in case of a scope conflict), advance notification of users, and creation of the security advisory. |
We recently had a misunderstanding regarding the assignment of CVEs when there's a scope conflict with another CNA.
(see SECURITY-3141)