This hasn't come up [yet] but I wanted to put something out about this before there is a problem.
With the recent integration[0] of CVE[1] and DWF[2] there have been many changes within Red Hat (many of our tools had to be redesigned to handle the longer numbers used in DWF). Eventually I'd like to start using our DWF resources for any vulnerabilities that get reported to us but for now I believe we need to continue using CVEs from MITRE. It seems an agreement with MITRE is lacking and using DWFs could cause problems for vulnerabilities that affect both Fedora and RHEL.
This really isn't a change to how we currently do CVEs[3]. When the agreement is fixed I'd like to start working on updating our vulnerability reporting.
--Eric
[0] https://cve.mitre.org/data/board/archives/2016-04/msg00002.html [1] https://cve.mitre.org/ [2] https://github.com/distributedweaknessfiling/DWF-Documentation [3] https://fedoraproject.org/wiki/Security_Bugs#Reporting_a_Security_Vulnerabil...
security-team@lists.stg.fedoraproject.org