On Wed, Feb 14, 2024 at 03:38:52PM +0100, Jiri Kosina wrote: > On Wed, 14 Feb 2024, Greg Kroah-Hartman wrote: > > > The people that make up the current team, Lee, Sasha, and I, have a LONG > > history of fixing and triaging and managing security bugs for the > > kernel, in the community and in corporate environments. We know how to > > do this as we have been doing it for decades already. > > Thanks for clarifying. Maybe the wording could use some more verbosity > then; one of my potential readings of it was "everything that gets picked > for -stable will get a CVE assigned". CVE has a very specific definition already, as per cve.org: CVE Record is the descriptive data about a vulnerability associated with a CVE ID, provided by a CVE Numbering Authority (CNA). This data is provided in multiple human and machine-readable formats. And they define "vulnerability" as: An instance of one or more weaknesses in a Product that can be exploited, causing a negative impact to confidentiality, integrity, or availability; a set of conditions or behaviors that allows the violation of an explicit or implicit security policy. and as a CNA we must follow that definition. No need to restate the CVE rules in our own document, I am sure that if we don't follow them, lots of people will be quick to point it out and we will revoke those ids that we mess up on. thanks, greg k-h
