[RFC] Becoming and Operating a CNA as an Open Source Org/Project

[sethmlarson]

Motivation and Plan

Recently I've seen more Open Source projects have a desire to have input into the CVE process and to do so today requires becoming a CNA, something which can seem daunting at first glance.

Recently the PSF has been authorized as a CNA. I wanted to create some guidance from what the PSF team learned from going through the revamped process, to add visibility into all steps of the process, and answer common questions that Open Source projects specifically might ask during onboarding.

Once the PSF has gotten more experience as a CNA I plan to create a second piece of guidance ("Operating a CNA as an Open Source Organization or Project") that will serve to really show if the "juice is worth the squeeze".

Links

• [DRAFT] Becoming a CNA as an Open Source Org/Project
• [TODO] Operating a CNA as an Open Source Org/Project

[zmanion]

Great idea and it should be possible to get relevant feedback integrated back into the CVE Program practices and documents (I offer to help with that if needed).

Also an option for some projects (for whom the juice may not be worth the squeeze) is to request CVE IDs from more "local" CNAs such as Red Hat or GitHub.

[sethmlarson]

@zmanion Agreed! I'll keep a list of items that aren't covered in CNA Rules or documented until after you begin onboarding:

• Primary POC is required to share a phone number to be contacted during emergencies.
• Timeliness requirements around CVE Disputes (3 days to ack, 5 days to resolve or extend, 15 days to resolve or escalate)

[SecurityCRob]

STRONG endorse of Seth's work putting this together to share with the community.

[SecurityCRob]

This can be closed, correct @sethmlarson ? This is out now I think.

[sethmlarson]

Oh yes this is complete! Thought it was setup to auto-close on the PR :)

[cqueern]

Thanks for your hard work here, team. Is there a link to the final product available?