@hughsie @Stephanie put simply: yes I recommend that. I've seen @sethmlarson and @gregkh do the same. It really is not hard, there is no fee and once aboard, very little extra overhead.

OpenSSF publishes this guide, I believe based at least partly on Seth's initial work:

https://github.com/ossf/wg-vulnerability-disclosures/blob/main/docs/guides/becoming-a-cna-as-an-open-source-org-or-project.md

@bagder @Stephanie @hughsie

We did that in OpenVPN too. We got CVEs issued on reports we rejected, because the reporter then reached out directly to MITRE because the reporter disagreed it wasn't an issue. One of them was also something being a documentation issue (a user explicitly configuring a management interface, which is disabled by default, on a public IP address and not ensuring password authentication is enabled, is hardly a CVE).

Since Red Hat is a CNA these days available for FOSS projects, perhaps that is a better approach getting under their wings. That was not an option for us when we registered.

The gotchas is the administrative overhead of the keeping track of the status for the CVEs in progress internally, keeping reporters up-to-date, discussing (sometimes arguing) the report and the progress. Some (few) reporters expects a resolution within a week with a loud announcement crediting them. Once its made public, there is less work with it. Then its to fix the CVSS scores when they're completely wrong, typically added by some external entities if you didn't put it in the CVE record yourself.

We also have a policy to never credit reporters in the CVE record itself, even though it seems to be possible now. We give them a simple "reported by" line in the release announcement and/or the git commit message. Not because they don't deserve it, but to make it less attractive for those doing reports mostly to get CVEs in their CVs and being easily searchable. Those reports are also typically not the most critical ones, but minor stuff. Some reporters has even demanded more attention (which we've politely rejected, due to our policy).

At its core, it's tediously and boring administrative work which unfortunately is needed to keep some kind of control. This work also takes away time which could be used on development of the project.

It's the ego-trip reporters who are the biggest pain, though, which wastes our time most. And they are far more loud than the serious reporters, which can be wonderful to collaborate with. If everyone would behave as the really serious reporters, it wouldn't be so annoying work.