| ▲ | kbumsik 4 hours ago | |||||||
Why own numbering instead of CVE? | ||||||||
| ▲ | vngzs 4 hours ago | parent | next [-] | |||||||
It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling | ||||||||
| ||||||||
| ▲ | wereHamster an hour ago | parent | prev [-] | |||||||
Some reasons why an org might want to become their own CNA: https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/ | ||||||||