CNA and security contact point

Brian Inglis Brian.Inglis@SystematicSw.ab.ca
Sat Sep 21 00:23:00 GMT 2019


On 2019-09-20 07:24, Dimitrios Glynos wrote:
> for security vulnerabilities identified in newlib is RedHat acting
> as the CNA to generate CVE identifiers, or should we request
> these from the root CNA at MITRE?
> Also what's the preferred contact point (email address) for disclosing 
> vulnerabilities?

There appears to be no documented approach, and little precedent, but as no one
else is responding publicly, I can suggest some things, but this is a volunteer
project, with contributions sometimes from vendor staff.

Infrastructure and support for sourceware.org is from RedHat and they and ARM
are major downstream vendors and contributors; Cygwin and RTEMS are major
downstream projects; Cygwin shares maintainers with newlib and RedHat.

Should contact maintainers shown on https://sourceware.org/newlib/ using their
public keys. Not sure if either CV or JJ are around right now.

See https://access.redhat.com/security/team/contact/ for email and GPG key.
For ARM
https://developer.arm.com/support/arm-security-updates/report-security-vulnerabilities

-- 
Take care. Thanks, Brian Inglis, Calgary, Alberta, Canada

This email may be disturbing to some readers as it contains
too much technical detail. Reader discretion is advised.



More information about the Newlib mailing list