The Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

Towards the goal of a more secure and safe Python ecosystem, the Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)!

Being a CNA means the PSF can improve the vulnerability response of critical projects in the Python ecosystem like CPython and pip and to Python users through timely and high-quality security advisories and remediations.

I also plan to create guidance focused on other Open Source organizations and projects both in and outside the Python ecosystem to become CNAs and provide the same benefits to their projects.

To be alerted of newly published vulnerabilities in Python or pip, subscribe to the security-announce@python.org mailing list for security advisories. There is also a new advisory database published to GitHub using the machine-readable Open Source Vulnerability (OSV) format.

You can read the full details in my announcement on the PSF blog.

Will it be possible to add Pallets to this as we are a fiscal sponsoree?

Long-term we’d like to add other projects under our scope but because we’re just getting started with CNA operations we want to be sure the workload matches our ability before adding more projects.

We’ll also be drafting guidance around CNA operations, so maybe around that time we can reevaluate adding more projects.

Hello @sethmlarson,

I’m Natalia, a Django Fellow (similar to the PSF’s developer-in-residence role) and a member of the Django Security Team. Along with Sarah, the other Fellow, we handle Django Security Releases.

We wanted to check if there have been any updates on adding more projects under the PSF CNA umbrella, as Django would be interested in being included. Please let me know if there’s a better way to reach the relevant people about this.

Thank you!

Hey @nessita! Thanks for reaching out, we have Pallets projects under the PSF CNA scope right now as a pilot. One of the caveats we have is that projects should be able to manage their own CVE IDs, so today that mean something like GitHub Security Advisories or something similar.

Since Django has a security team and fellows, I wonder if it makes sense to have the DSF become a CVE Numbering Authority so that you provide your own “scope umbrella”. Apologies if you’ve seen these already, but I’ve put together some materials on becoming a CNA and what to expect and study for CNA training.

Overall, for a small number of projects/CVEs the workload isn’t bad. Mostly pasting exactly what you have in advisories today into a web form and hitting a few buttons. If you do decide to move forward with this: start the process and book an appointment ASAP as they have a significant lead-time.

Always happy to answer questions about CVE/CNAs, hopefully this is all helpful.

Thank you so much Seth, this information helps considerably!

I will read the provided links and circle back to the DSF Board (@jacobian @thibaudcolas). I may reach out in the future for further advice on concrete questions.

From my side on Pallets, it was really easy to be brought under the PSF CNA. Had a short meeting with Seth, he updated some documents, and that was it. Nothing really changed for us, we still use the same process with GitHub advisories to work on issues and get CVEs. But it’s nice to know that we have expert support in case we need it. Hopefully it can be expanded to other member groups of the PSF. If the DSF were to become a CNA, I’m sure Django-related projects (Jazzband, Django-Commons, etc) could benefit in the same way.