Tuesday, August 29, 2023

The Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA)

When a vulnerability is disclosed in software you're depending on, the last thing you want is for the remediation process to be confusing or ad-hoc. Towards the goal of a more secure and safe Python ecosystem, the Python Software Foundation has been authorized by the CVE Program as a CVE Numbering Authority (CNA).

Being authorized as a CNA is one milestone in the Python Software Foundation's strategy to improve the vulnerability response processes of critical projects in the Python ecosystem. The Python Software Foundation CNA scope covers Python and pip, two projects which are fundamental to the rest of Python ecosystem.

By becoming a CNA, the PSF will be providing the following benefits to in-scope projects:

  • Paid staffing for CNA operations rather than requiring volunteer time.
  • Quicker allocations of CVE IDs after a vulnerability is reported.
  • Involvement of each projects' security response teams during the reporting of vulnerabilities.
  • Richer published advisories and CVE Records including descriptions, metadata, and remediation information.
  • Consistent disclosures and publishing locations.

CNA operations will be staffed primarily by the recently hired Security Developer-in-Residence Seth Michael Larson, Ee Durbin, and Chloe Gerhardson.

The PSF wants to help other Open Source organizations and will be sharing lessons learned and developing guidance on becoming a CNA and day-to-day operations.

To be alerted of newly published vulnerabilities in Python or pip, subscribe to the security-announce@python.org mailing list for security advisories. There is also a new advisory database published to GitHub using the machine-readable Open Source Vulnerability (OSV) format.

If you'd like to report a security vulnerability to Python or pip, the vulnerability disclosure policy is available on python.org.

The mission of the Common Vulnerabilities and Exposures (CVE®) Program is to
identify, define, and catalog publicly disclosed cybersecurity vulnerabilities. There
is one CVE Record for each vulnerability in the catalog. The vulnerabilities are
discovered then assigned and published by organizations from around the world
that have partnered with the CVE Program. Partners publish CVE Records to
communicate consistent descriptions of vulnerabilities. Information technology
and cybersecurity professionals use CVE Records to ensure they are discussing
the same issue, and to coordinate their efforts to prioritize and address the

The Python Software Foundation (PSF) is the non-profit organization behind Python and PyPI. Our mission is to promote, protect, and advance the Python programming language, and to support and facilitate the growth of a diverse and international community of Python programmers. The PSF supports the Python community using corporate sponsorships, grants, and donations. Are you interested in sponsoring or donating to the PSF so it can continue supporting Python and its community? Check out our sponsorship program, donate directly here, or contact our team!