Objective of this policy
This document describes a policy for how the Google OSS CNA operates.
Scope of the CNA
The Google OSS CNA manages the CVEs scoped to Google-owned and managed OSS.
When to request a CVE
A CVE should be requested when a non-trivial vulnerability is discovered and publicly disclosed in a Google-owned OSS project.
How to request a CVE
Anyone can request a CVE to be created if it is in scope of this CNA. There are 2 intake paths:
- Via the Bug Bounty Program (VRP), as part of a vulnerability discovery report.
- Via email to firstname.lastname@example.org
This CNA follows Google's AppSecurity policy.