This hasn't come up [yet] but I wanted to put something out about this
before there is a problem.
With the recent integration[0] of CVE[1] and DWF[2] there have been many
changes within Red Hat (many of our tools had to be redesigned to handle
the longer numbers used in DWF). Eventually I'd like to start using our
DWF resources for any vulnerabilities that get reported to us but for
now I believe we need to continue using CVEs from MITRE. It seems an
agreement with MITRE is lacking and using DWFs could cause problems for
vulnerabilities that affect both Fedora and RHEL.
This really isn't a change to how we currently do CVEs[3]. When the
agreement is fixed I'd like to start working on updating our
vulnerability reporting.
--Eric
[0]
https://cve.mitre.org/data/board/archives/2016-04/msg00002.html
[1]
https://cve.mitre.org/
[2]
https://github.com/distributedweaknessfiling/DWF-Documentation
[3]
https://fedoraproject.org/wiki/Security_Bugs#Reporting_a_Security_Vulnera...