Newsgroups: php.internals
Path: news.php.net
Xref: news.php.net php.internals:101915
Return-Path: <smalyshev@gmail.com>
Mailing-List: contact internals-help@lists.php.net; run by ezmlm
Delivered-To: mailing list internals@lists.php.net
Received: (qmail 46816 invoked from network); 23 Feb 2018 23:58:26 -0000
Received: from unknown (HELO lists.php.net) (127.0.0.1)
  by localhost with SMTP; 23 Feb 2018 23:58:26 -0000
Authentication-Results: pb1.pair.com smtp.mail=smalyshev@gmail.com; spf=pass; sender-id=pass
Authentication-Results: pb1.pair.com header.from=smalyshev@gmail.com; sender-id=pass
Received-SPF: pass (pb1.pair.com: domain gmail.com designates 209.85.160.52 as permitted sender)
X-PHP-List-Original-Sender: smalyshev@gmail.com
X-Host-Fingerprint: 209.85.160.52 mail-pl0-f52.google.com  
Received: from [209.85.160.52] ([209.85.160.52:38705] helo=mail-pl0-f52.google.com)
	by pb1.pair.com (ecelerity 2.1.1.9-wez r(12769M)) with ESMTP
	id DB/C1-28114-1AAA09A5 for <internals@lists.php.net>; Fri, 23 Feb 2018 18:58:26 -0500
Received: by mail-pl0-f52.google.com with SMTP id d4so5790039pll.5
        for <internals@lists.php.net>; Fri, 23 Feb 2018 15:58:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=to:from:subject:message-id:date:user-agent:mime-version
         :content-language:content-transfer-encoding;
        bh=RWor++IfhsEBawrAct6xcLtI7u1rugzh3ys4qZf9Dbk=;
        b=ic92N1JrnI2WS+x+NgtNX9erlQWy3wtksUVBJwe3PXrY7VC8W0cWJWrajtNn1u2cv4
         +Qn9LTjbaqdl4fkGRDd82lfgftiD5NHz1q4bny3Wn8KUs57XpLsSfZd/rOXeqZnSeV6c
         /roThj2jFSkaV6l1CDq9ePgZd+/aDxc+P8bkqIOTX5RBcJ4nZhX+LgRiQMrDW4Ei0wwa
         bPII8avGRs0jk+E4mz+2VDi96ZFoc7wCgXUjr4+ZNOG7/ZB7UNl8V32VIbSSRfIZPX8l
         WFVwezaZTb8O01HGBqCcc0VBlrjeL/TalfQS2QE9mLxrbnhs41hDCcumEQxTYUgQ4qzT
         RQUg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:to:from:subject:message-id:date:user-agent
         :mime-version:content-language:content-transfer-encoding;
        bh=RWor++IfhsEBawrAct6xcLtI7u1rugzh3ys4qZf9Dbk=;
        b=X3fbrNTyVCQ3JqUCIyMQ+GeURWWRZyT1/fGeBTynuivpCviNsQbI/PwwgShj1iHf4+
         PUWgpCYcud7gJp3hAfX80xWE1LDRzNKrfzm+K4oQIKONEx5t3Dw3WwUNyJCkBUtwIihe
         chgAhjw1srbHjqWblRsDqqho3J9FBQBKt1u6f4DDMr4JGYZ/b+bQ4cfmF4/O8SArfL9u
         e1XEcOk3iiVE/uifoQDQ+BeoLI4UFONvZclH4knO9QisH3TUACONUjnvHZt8nNixl1d5
         pQ7Vo5fu6B6r5j5jy1nOTDRM4O5NXrbNn5onLet7rXqnGuTKVJ8b+c00G6GD9eM1XxIm
         rP6A==
X-Gm-Message-State: APf1xPBEmjPQ+NZCzimtfdOWDhUnJHU1Q5uHhb/9k1MO1EQHDsaTmDCY
	v3k5R4P68SoCVCspjrRaguQDFE4=
X-Google-Smtp-Source: AH8x2277JeoDmRn/r++1uUwECecI3nmZI8+gtAIyZiNCjjqskGTnyyBmQtXXqWuWbtr9bgfTJnEhSA==
X-Received: by 2002:a17:902:2de4:: with SMTP id p91-v6mr3258026plb.405.1519430302629;
        Fri, 23 Feb 2018 15:58:22 -0800 (PST)
Received: from Stas-Pro-2016.local (c-73-71-144-171.hsd1.ca.comcast.net. [73.71.144.171])
        by smtp.gmail.com with ESMTPSA id t8sm5334921pgr.21.2018.02.23.15.58.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Fri, 23 Feb 2018 15:58:22 -0800 (PST)
To: PHP Internals <internals@lists.php.net>,
 "security@php.net" <security@php.net>
Message-ID: <d44451c7-15d5-edf0-4056-cd4ade8ac73d@gmail.com>
Date: Fri, 23 Feb 2018 15:58:21 -0800
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:59.0)
 Gecko/20100101 Thunderbird/59.0
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Subject: Setting up CNA for PHP CVEs
From: smalyshev@gmail.com (Stanislav Malyshev)

Hi!

I've been complaining in the past about the way PHP CVE are handled -
they are sometimes issued with no coordination with anybody from PHP
developers, sometimes contain misleading and outright wrong information
and sometimes disregard our guidelines for security issues
(https://wiki.php.net/security). Fortunately, it looks like now there is
a way to properly fix it.

In order to do that, I've decided to apply for CNA for PHP project - see
more on CNAs here: https://cve.mitre.org/cve/request_id.html - which
would make PHP developers the official authority for issuing CVEs for PHP.

In order to do that, we would need one or more people to be set up as
CVE mentors, as described here:
https://github.com/distributedweaknessfiling/DWF-CVE-Mentor-Registry/blob/master/README.md
I plan to register myself as one, but if anyone wants to volunteer
please step up. I have already contacted Kurt Seifried about it, and got
initial instructions (which are pretty much starting with filling the
mentorship forms) and would like to continue the setup, but if somebody
wants to join in helping things please tell me.

Also please tell me if you have any concerns or comments about this.

Thanks,
-- 
Stas Malyshev
smalyshev@gmail.com