28 Apr
2026
28 Apr
'26
3:35 p.m.
Hi folks,
Most of you are probably familiar with CVEs. They're like universal
bug numbers for security vulnerabilities. They make it much easier to
exchange information about security issues in software, if everyone
refers to the same vulnerability by the same number.
The CVE ecosystem isn't perfect, and has been a bit turbulent over
recent years. One cause of this is that the number of vulnerabilities
has been increasing for a long time, and the organization that used to
issue them became a bottleneck - it now delegates a lot of the work to
others.
One way it does this delegation is by working with "CVE Numbering
Authorities". Basically, organizations can register as a numbering
authority (CVE issuer) within a particular category of software.
Sometimes this can be a single project (the Linux kernel recently
became a CNA), but ideally it encompasses a range of related software.
Which leads to the obvious suggestion... I believe it would be
beneficial for the XSF to apply for CNA status, with the scope of
issuing CVEs for software within the XMPP ecosystem.
There are various benefits:
- The XSF is already a hub for XMPP software developers, making
discoverability and issuance easier for projects
- Response times may be faster (due to the narrow scope, the XSF will
naturally receive a far lower volume of CVE requests than generic CNAs
such as MITRE)
- The XSF has a history of coordinating vulnerability communication
between projects when necessary. This has been very useful in the
past, and it would help to bolster that activity.
I think it would be sensible for us to discuss this. If there is
positive consensus, I don't mind taking on the task of the application
and any necessary processes. However for the operation of a CNA
programme it would be good to have at least several trusted people
willing to work on such a team.
Further reading:
- https://www.cve.org/PartnerInformation/Partner
- https://nvd.nist.gov/general/cna-counting
Regards,
Matthew