Hi!
I've been complaining in the past about the way PHP CVE are handled -
they are sometimes issued with no coordination with anybody from PHP
developers, sometimes contain misleading and outright wrong information
and sometimes disregard our guidelines for security issues
(https://wiki.php.net/security). Fortunately, it looks like now there is
a way to properly fix it.
In order to do that, I've decided to apply for CNA for PHP project - see
more on CNAs here: https://cve.mitre.org/cve/request_id.html - which
would make PHP developers the official authority for issuing CVEs for PHP.
In order to do that, we would need one or more people to be set up as
CVE mentors, as described here:
https://github.com/distributedweaknessfiling/DWF-CVE-Mentor-Registry/blob/master/README.md
I plan to register myself as one, but if anyone wants to volunteer
please step up. I have already contacted Kurt Seifried about it, and got
initial instructions (which are pretty much starting with filling the
mentorship forms) and would like to continue the setup, but if somebody
wants to join in helping things please tell me.
Also please tell me if you have any concerns or comments about this.
Thanks,
Stas Malyshev
smalyshev@gmail.com