[Members] Re: Proposal: XSF as a CVE Numbering Authority (CNA)

Hey, Funny enough I was discussing CVEs at a conference last weekend, somewhat in relation to XMPP as well. The issue with CVEs is the amount of them, and the majority of them are so minor that you would have to be extremely unlucky for them ever to be exploitable. This doesn't mean you should ignore them, but it means you rarely know there is a major vulnerability within the spam of CVEs, take the Linux kernel for example, since parnering they have spammed so many CVEs that the average person is unable to keep up, and relies on the distro to handle it. I still think it would be useful, but could I recommend also having a security feed on the XSF website which maybe a small group of members can volunteer to be part of a security team, and they are responsible for documenting vulnerabilities of concern, and then maybe have another rss feed for CVEs which can be spammed with as many as needed. Therefore having the best of both worlds? Maybe it might be nice to have a security mailing list for the xsf too, which is low frequency unless there is a vulnerability of concern? Just some ideas :) Take care, -- Polarian Jabber/XMPP: polarian(a)icebound.dev