Remix.run Logo
kbumsik 4 hours ago

Why own numbering instead of CVE?

vngzs 4 hours ago | parent | next [-]

It lets organizations (Tailscale) control the timing and narrative around the disclosure more directly. Organizations sometimes avoid the bureaucracy of going through CVE Numbering Authorities by self-publishing. Often a CVE assignment follows self-disclosure, especially when there's pressure to interoperate with vuln-scanning/compliance tooling

bigfatkitten 3 hours ago | parent [-]

And sometimes it’s just impossible to get a CVE number in a reasonable amount of time, or indeed at all.

wereHamster an hour ago | parent | prev [-]

Some reasons why an org might want to become their own CNA: https://daniel.haxx.se/blog/2024/01/16/curl-is-a-cna/