The article “How Linux Kernel Deals With Tracking CVE Security Issues” examines how open-source projects like the Linux kernel handle Common Vulnerabilities and Exposures (CVEs), highlighting changes in legislation and practices.
CVEs provide a way to document security vulnerabilities, traditionally assigned by large companies known as CVE Naming Authorities (CNAs). The European Union’s Cyber Resilience Act (CRA) now requires any open-source software used commercially to establish a cybersecurity policy and report actively exploited vulnerabilities. This change compels open-source projects to manage CVEs themselves.
Managing false CVEs is a significant challenge. cURL’s lead developer, Daniel Stenberg, encountered numerous bogus CVEs and took over assignment duties to protect the project. Similarly, Linux kernel developers became a CNA, aiming for better control and legal compliance.
Greg Kroah-Hartman, Linux stable kernel maintainer, discussed the CRA’s impact, emphasizing the shift in responsibility from vendors to open-source projects. The EU’s legislation explicitly assigns responsibility for security management to the projects themselves.
Organizations like CVE.org and the Open Source Software Security Foundation have simplified the process of becoming a CNA. GitHub’s guide provides valuable instructions for projects.
The Linux kernel team follows a protocol where CVEs are issued post-patch, minimizing exploitation risk. They avoid assigning CVSS scores due to diverse use cases, ensuring accurate prioritization.
In conclusion, open-source projects now bear greater responsibility for CVEs. Legislative changes and improved tools facilitate this transition. Projects like the Linux kernel and cURL demonstrate effective CVE management, enhancing security and reliability for users and developers.
