The Linux Kernel project was made an official CVE Numbering Authority (CNA) with exclusive rights to issue CVE identifiers for the Linux kernal in February this year.
While initially this looked like good news, almost three months later, this has turned into a complete and utter disaster.
Over the past months, the Linux Kernel team has issued thousands of CVE identifiers, with the vast majority being for trivial bug fixes and not just security flaws.
Just in May alone, the Linux team issued over 1,100 CVEs, according to Cisco's Jerry Gamblin—a number that easily beat out professional bug bounty programs/platforms run by the likes of Trend Micro ZDI, Wordfence, and Patchstack.
https://news.risky.biz/risky-biz-news-the-linux-cna-mess/
Dan Goodin /
npub1z3…8qvzu
2024-06-05 18:02:47
Author Public Key
npub1z3lwfekw80j4ngzg6ky3ks202xr6uwnd4jttxzsd4euc9l55euvq48qvzuPublished at
2024-06-05 18:02:47Event JSON
{
"id": "8d794f53764c392506e214f7d5ff4f2df9100cda572e717d1b811c7a6eb0437e",
"pubkey": "147ee4e6ce3be559a048d5891b414f5187ae3a6dac96b30a0dae7982fe94cf18",
"created_at": 1717603367,
"kind": 1,
"tags": [
[
"proxy",
"https://infosec.exchange/@dangoodin/112564854322742227",
"web"
],
[
"proxy",
"https://infosec.exchange/users/dangoodin/statuses/112564854322742227",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://infosec.exchange/users/dangoodin/statuses/112564854322742227",
"pink.momostr"
]
],
"content": "The Linux Kernel project was made an official CVE Numbering Authority (CNA) with exclusive rights to issue CVE identifiers for the Linux kernal in February this year.\n\nWhile initially this looked like good news, almost three months later, this has turned into a complete and utter disaster.\n\nOver the past months, the Linux Kernel team has issued thousands of CVE identifiers, with the vast majority being for trivial bug fixes and not just security flaws.\n\nJust in May alone, the Linux team issued over 1,100 CVEs, according to Cisco's Jerry Gamblin—a number that easily beat out professional bug bounty programs/platforms run by the likes of Trend Micro ZDI, Wordfence, and Patchstack.\n\nhttps://news.risky.biz/risky-biz-news-the-linux-cna-mess/",
"sig": "190fa0bf407af5b3c5a37bdad65bbdac09812f9fa3dc4327e49d3ec4c57ef57e767fd5fba62a4b392d5167944498d36e3ef564f769bd148b0cf171af58a1f64c"
}