Update vulnerability disclosure guide for EEF CNA

The EEF now operates a CVE Numbering Authority for the BEAM ecosystem.
Updated all documentation to reference the EEF CNA as the primary
authority for CVE requests on Hex.pm packages, with guidance to check
the CNA scope and use the contact page for reporting.

Author: maennchen

docs/security_vulnerability_disclosure/checklist.md

@@ -26,9 +26,13 @@ checklist to ensure that you address vulnerabilities effectively:
 3. **Disclose & Request CVE**:
    - Document the vulnerability, including its impact, affected versions, and
      mitigations, in a security advisory on GitHub or your project's website.
-   - Request a Common Vulnerabilities and Exposures (CVE) identifier for the
-     vulnerability through GitHub's security advisory interface or other
-     appropriate channels.
+   - Request a Common Vulnerabilities and Exposures (CVE) identifier:
+     - Check if your package is in the [EEF CNA scope](https://cna.erlef.org/scope).
+       For the vast majority of Hex.pm packages, the EEF CNA is responsible.
+     - **For packages in EEF CNA scope:** Request a CVE via the
+       [EEF CNA](https://cna.erlef.org/contact).
+     - **For packages outside EEF CNA scope:** Request a CVE through GitHub's
+       security advisory interface or other appropriate channels.
    - Provide clear and comprehensive information to users and stakeholders to
      help them understand the nature and severity of the vulnerability.
    - Check that the disclosure is visible in the

docs/security_vulnerability_disclosure/github_disclosure.md

@@ -33,10 +33,14 @@ vulnerabilities. Below are key features of GitHub's security disclosure process:
      take appropriate action to protect their systems.
 
 3. **CVE Requests**:
-   - GitHub supports the request and assignment of Common Vulnerabilities and
-     Exposures (CVE) identifiers for reported vulnerabilities. Maintainers can
-     request CVE identifiers directly through GitHub's security advisory
-     interface.
+   - For Hex.pm packages, the [EEF CNA](https://cna.erlef.org/) is the primary
+     authority for assigning CVE identifiers. Before requesting a CVE, check the
+     [CNA scope](https://cna.erlef.org/scope) to verify coverage. This applies to
+     the vast majority of Hex packages. To request a CVE from the EEF CNA,
+     contact the [EEF CNA](https://cna.erlef.org/contact).
+   - For projects outside the EEF CNA scope, GitHub supports the request and
+     assignment of CVE identifiers. Maintainers can request CVE identifiers
+     directly through GitHub's security advisory interface.
    - GitHub streamlines the process of requesting CVE identifiers, reducing the
      administrative burden on maintainers and ensuring that vulnerabilities are
      properly cataloged and tracked in the CVE database.
@@ -51,4 +55,4 @@ GitHub provides a comprehensive toolkit for handling security incidents and
 safeguarding the integrity of open-source software projects.
 
 You can see an example for this process in a disclosure for one of
-[ErlEFs libraries](https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p).
+[EEF libraries](https://github.com/erlef/oidcc/security/advisories/GHSA-mj35-2rgf-cv8p).

docs/security_vulnerability_disclosure/index.md

@@ -52,11 +52,13 @@ systems and sensitive data against emerging threats.
 * [Process](process)
 * [GitHub Disclosure](github_disclosure)
 
-The ErlEF Security Working Group ([security@erlef.org](mailto:security@erlef.org))
-offers to connect individuals with experts who can assist in coordinating and
-disclosing vulnerabilities within the BEAM ecosystem. While the WG does not
-handle direct disclosures, it helps to facilitate communication with experienced
-professionals in security vulnerability management.
+The Erlang Ecosystem Foundation operates a
+[CVE Numbering Authority (CNA)](https://cna.erlef.org/) for the BEAM ecosystem.
+The EEF CNA can assist in coordinating and disclosing vulnerabilities, including
+assigning CVE identifiers for most Hex.pm packages. Before requesting a CVE,
+check the [CNA scope](https://cna.erlef.org/scope) to verify coverage. For
+reporting channels and assistance, see the
+[CNA contact page](https://cna.erlef.org/contact).
 
 To report mistakes or suggest additional content, please open an issue or create
 a pull request in the [GitHub repository]({{site.github.repository_url}}).

docs/security_vulnerability_disclosure/process.md

@@ -47,8 +47,16 @@ Below are the most essential parts of a security disclosure process:
 4. **Disclosing the Vulnerability (CVE & Hex)**:
    - After the fix has been implemented and distributed to users, disclose the
      vulnerability publicly. Assign a Common Vulnerabilities and Exposures (CVE)
-     identifier to the vulnerability, if applicable, to facilitate tracking and
-     referencing. Additionally, update the retirement status (
+     identifier to the vulnerability to facilitate tracking and referencing.
+   - For Hex.pm packages, the [EEF CNA](https://cna.erlef.org/) is responsible
+     for assigning CVE identifiers in most cases. Check the
+     [CNA scope](https://cna.erlef.org/scope) to verify coverage (this applies
+     to the vast majority of Hex packages). To request a CVE, contact
+     the [EEF CNA](https://cna.erlef.org/contact).
+   - For projects outside the EEF CNA scope, request a CVE through
+     [GitHub's security advisory interface](https://docs.github.com/en/code-security/security-advisories/working-with-repository-security-advisories/publishing-a-repository-security-advisory)
+     or other appropriate channels.
+   - Additionally, update the retirement status (
      [Elixir](https://hexdocs.pm/hex/Mix.Tasks.Hex.Retire.html) /
      [Erlang](https://rebar3.org/docs/package_management/#retiring-packages))
      of the affected package on Hex, if necessary, to alert users to the presence

docs/security_vulnerability_disclosure/resources.md

@@ -11,10 +11,11 @@ next:
 
 ## Guides
 
+* [EEF CVE Numbering Authority](https://cna.erlef.org/) - Primary CVE authority for Hex.pm packages
 * [OpenSSF Guide to implementing a coordinated vulnerability disclosure process for open source projects](https://github.com/ossf/oss-vulnerability-guide/blob/main/maintainer-guide.md)
 * [GitHub Privately reporting a security vulnerability](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/privately-reporting-a-security-vulnerability)
 * [GitHub Managing privately reported security vulnerabilities](https://docs.github.com/en/code-security/security-advisories/guidance-on-reporting-and-writing-information-about-vulnerabilities/managing-privately-reported-security-vulnerabilities)
-* [Publishing a CVE](https://www.cve.org/ReportRequest/ReportRequestForNonCNAs)
+* [Publishing a CVE](https://www.cve.org/ReportRequest/ReportRequestForNonCNAs) - for projects outside EEF CNA scope
 * [Hex Package Retire](https://hexdocs.pm/hex/Mix.Tasks.Hex.Retire.html)
 * [Rebar Package Retire](https://rebar3.org/docs/package_management/#retiring-packages)
 

docs/security_vulnerability_disclosure/vulnerability_definition.md

@@ -60,11 +60,11 @@ Here's how a library maintainer can make this determination:
    insights. Security professionals can offer guidance on threat modeling, risk
    assessment, and appropriate mitigation strategies.
 
-   The ErlEF Security Working Group ([security@erlef.org](mailto:security@erlef.org))
-   offers to connect individuals with experts who can assist in coordinating and
-   disclosing vulnerabilities within the BEAM ecosystem. While the WG does not
-   handle direct disclosures, it helps to facilitate communication with experienced
-   professionals in security vulnerability management.
+   The [EEF CVE Numbering Authority](https://cna.erlef.org/) can assist in
+   coordinating and disclosing vulnerabilities within the BEAM ecosystem,
+   including assigning CVE identifiers for Hex.pm packages. Check the
+   [CNA scope](https://cna.erlef.org/scope) to verify coverage and the
+   [contact page](https://cna.erlef.org/contact) for reporting channels.
 
 By carefully considering these factors, a library maintainer can make informed
 decisions about whether a reported issue constitutes a security vulnerability