- Issue created by @aangel
- πΊπΈUnited States cmlara
Re title as this appears to be focused on D7 ES providers currently.
Much of this would appear to relate to contractual agreement the D7ES providers have with the DST and Drupal CNA and as such normal rules may not apply.
The Drupal Security Team operates under the Red Hat Root CNA, which is the preferred Root CNA for most open-source projects.
Considering a RedHat only became a root in 2022 is this actually true ? The Drupal CNA predates the Red Hat Root. The CVE website only lists MITRE as their top level root, so that does leave ambiguity about if they have a parent root.
MITRE was used as the CNA-LR. Itβs not clear to me if Red Hat was asked first or if the requester went directly to MITRE
Red Hat only became a CNA-LR in February of 2025, they would not have been capable of accepting the report in 2024.