The Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

Towards the goal of a more secure and safe Python ecosystem, the Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)!

Being a CNA means the PSF can improve the vulnerability response of critical projects in the Python ecosystem like CPython and pip and to Python users through timely and high-quality security advisories and remediations.

I also plan to create guidance focused on other Open Source organizations and projects both in and outside the Python ecosystem to become CNAs and provide the same benefits to their projects.

To be alerted of newly published vulnerabilities in Python or pip, subscribe to the security-announce@python.org mailing list for security advisories. There is also a new advisory database published to GitHub using the machine-readable Open Source Vulnerability (OSV) format.

You can read the full details in my announcement on the PSF blog.

Will it be possible to add Pallets to this as we are a fiscal sponsoree?

Long-term we’d like to add other projects under our scope but because we’re just getting started with CNA operations we want to be sure the workload matches our ability before adding more projects.

We’ll also be drafting guidance around CNA operations, so maybe around that time we can reevaluate adding more projects.