CNA scope conflict improvement #6612

Kevin-CB · 2023-08-14T08:15:19Z

We recently had a misunderstanding regarding the assignment of CVEs when there's a scope conflict with another CNA.
(see SECURITY-3141)

daniel-beck · 2023-08-14T09:50:44Z

Disagree. We still handled it by coordinating with the other CNA, we just didn't assign it ourselves. This exists because we need maintainers not to go run off themselves and have CVEs assigned.

Kevin-CB · 2023-08-14T10:05:48Z

content/security/for-maintainers.adoc

@@ -101,7 +101,7 @@ The following is a rough approximation of the typical recommended lifecycle of a
 .. The security team provides a private repository for that work in the `jenkinsci-cert` GitHub organization.
 .. Work usually happens on a branch, and a corresponding pull request will be used for review.
 . A *date and time of the release is coordinated* between the security team and maintainers.
-  The security team handles CVE ID assignment, advance notification of users, and creation of the security advisory.
+  The security team handles CVE ID assignment (in cases where there is no CNA scope conflict), advance notification of users, and creation of the security advisory.


We still handled it by coordinating with the other CNA, we just didn't assign it ourselves.

Do you prefer an approach like this one ,or do you think it should not be mentioned?

Suggested change

The security team handles CVE ID assignment (in cases where there is no CNA scope conflict), advance notification of users, and creation of the security advisory.

The security team handles CVE ID assignment (assignment may require coordination with another CNA in case of a scope conflict), advance notification of users, and creation of the security advisory.

CNA scope conflict improvement

4b7bc9f

Kevin-CB requested a review from a team as a code owner August 14, 2023 08:15

infra-ci-jenkins-io bot deployed to preview August 14, 2023 08:24 View deployment

Kevin-CB commented Aug 14, 2023

View reviewed changes

Merge branch 'master' into CNA-scope-conflict

3b19a45

infra-ci-jenkins-io bot deployed to preview April 26, 2024 02:54 View deployment

infra-ci-jenkins-io bot deployed to preview July 30, 2024 19:03 View deployment

infra-ci-jenkins-io bot deployed to preview August 1, 2024 09:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 1, 2024 13:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 1, 2024 17:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 5, 2024 07:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 5, 2024 21:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 6, 2024 11:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 13:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 15:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 19:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 7, 2024 21:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 8, 2024 19:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 12, 2024 05:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 13, 2024 14:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 19, 2024 04:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 19, 2024 15:51 View deployment

infra-ci-jenkins-io bot deployed to preview August 20, 2024 15:51 View deployment

infra-ci-jenkins-io bot deployed to preview August 20, 2024 19:51 View deployment

infra-ci-jenkins-io bot deployed to preview August 21, 2024 14:22 View deployment

infra-ci-jenkins-io bot deployed to preview August 21, 2024 16:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 22, 2024 14:52 View deployment

infra-ci-jenkins-io bot deployed to preview August 22, 2024 22:21 View deployment

infra-ci-jenkins-io bot deployed to preview August 23, 2024 00:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 2, 2024 13:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 3, 2024 15:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 4, 2024 09:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 5, 2024 15:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 5, 2024 17:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 5, 2024 21:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 5, 2024 23:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 7, 2024 17:23 View deployment

infra-ci-jenkins-io bot deployed to preview November 7, 2024 19:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 7, 2024 21:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 8, 2024 03:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 8, 2024 15:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 8, 2024 17:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 8, 2024 21:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 9, 2024 07:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 11, 2024 09:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 11, 2024 17:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 11, 2024 19:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 12, 2024 15:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 12, 2024 21:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 13, 2024 15:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 13, 2024 21:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 14, 2024 11:22 View deployment

infra-ci-jenkins-io bot deployed to preview November 15, 2024 16:52 View deployment

infra-ci-jenkins-io bot deployed to preview November 16, 2024 12:52 View deployment

infra-ci-jenkins-io bot deployed to preview November 19, 2024 15:51 View deployment

infra-ci-jenkins-io bot deployed to preview November 20, 2024 22:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 22, 2024 17:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 22, 2024 19:21 View deployment

infra-ci-jenkins-io bot deployed to preview November 26, 2024 01:21 View deployment

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CNA scope conflict improvement #6612

CNA scope conflict improvement #6612

Kevin-CB commented Aug 14, 2023 •

edited

Loading

daniel-beck commented Aug 14, 2023 •

edited

Loading

Kevin-CB Aug 14, 2023

	The security team handles CVE ID assignment (in cases where there is no CNA scope conflict), advance notification of users, and creation of the security advisory.
	The security team handles CVE ID assignment (assignment may require coordination with another CNA in case of a scope conflict), advance notification of users, and creation of the security advisory.

CNA scope conflict improvement #6612

Are you sure you want to change the base?

CNA scope conflict improvement #6612

Conversation

Kevin-CB commented Aug 14, 2023 • edited Loading

daniel-beck commented Aug 14, 2023 • edited Loading

Kevin-CB Aug 14, 2023

Choose a reason for hiding this comment

Kevin-CB commented Aug 14, 2023 •

edited

Loading

daniel-beck commented Aug 14, 2023 •

edited

Loading