Google Open Source Software (OSS) CVE Numbering Authority (CNA)

Objective of this policy

This document describes a policy for how the Google OSS CNA operates.

Scope of the CNA

The Google OSS CNA manages the CVEs scoped to Google-owned and managed OSS.


When to request a CVE

A CVE should be requested when a non-trivial vulnerability is discovered and publicly disclosed in a Google-owned OSS project.

How to request a CVE

Anyone can request a CVE to be created if it is in scope of this CNA. There are 2 intake paths:

Disclosure Policy

This CNA follows Google's AppSecurity policy.