The OpenJS Foundation is now a CVE Numbering Authority (CNA)
OpenJS Foundation is now authorized to assign CVE identifiers for vulnerabilities found in open source JavaScript projects hosted by OpenJS.
As part of the OpenJS Foundation's efforts to improve the security posture of our hosted projects, we’re proud to announce that the OpenJS Foundation is now a CVE Numbering Authority (CNA) under the Red Hat Open Source Root CNA. This means the OpenJS Foundation is authorized to assign CVE identifiers for vulnerabilities found in open source JavaScript projects hosted by OpenJS.
What this means for OpenJS
Open source projects maintained by volunteers can face challenges coordinating security responses, managing disclosures, and ensuring timely mitigation guidance.
As part of the launch of our CNA and with the support of Alpha-Omega, the OpenJS Security Collab Space is making it easier for maintainers and security researchers to disclose vulnerabilities to OpenJS projects.
OpenJS project maintainers can engage with the CNA to:
- Assign CVE IDs for vulnerabilities reported to their OpenJS hosted project
- Request assistance when responding to and disclosing individual vulnerabilities
- Receive strategic, hands-on support for improving their internal vulnerability disclosure processes, tooling, and policies
What are CVEs and CNAs?
CVE stands for Common Vulnerabilities and Exposures. The CVE Program, founded in 1999 and operated by The MITRE Corporation, provides the globally recognized standard for publicly disclosing and tracking security vulnerabilities that require action by downstream maintainers and end users to mitigate or remediate.
Publishing CVEs helps ensure vulnerabilities are consistently disclosed and remediation can be tracked across potentially many impacted products and vendors.
A CNA is an organization authorized by MITRE to assign CVEs to vulnerabilities to software in a specific scope - in our case most OpenJS hosted projects. Node.js already operates its own CNA and will be evaluating whether to transition to the OpenJS CNA in the future.
How to report vulnerabilities to OpenJS projects
Please report all security vulnerabilities you discover directly to the project by only using the vulnerability disclosure communications channel documented in their Vulnerability Disclosure Policy.
A list of security policies for each OpenJS project can be found with the OpenJS CNA Security Policy.
Engage with the OpenJS CNA
Contact Us
- Contact the CNA team at security@openjsf.org
- Visit #security on the OpenJS Foundation Slack
- Attend the OpenJS Security Collab Space Weekly on most Mondays at 8:30am Pacific Time.