From 39173f66e541db909069a4ce30d7590b76041596 Mon Sep 17 00:00:00 2001
From: Daniel Stenberg <daniel@haxx.se>
Date: Fri, 8 Mar 2024 11:09:48 +0100
Subject: [PATCH] VULN-DISCLOSURE-POLICY.md: update detail about CVE requests

curl is a CNA now

Closes #13088
---
 .github/scripts/spellcheck.words | 1 +
 docs/VULN-DISCLOSURE-POLICY.md   | 3 ++-
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/scripts/spellcheck.words b/.github/scripts/spellcheck.words
index ab7b18c1f5..050513c76f 100644
--- a/.github/scripts/spellcheck.words
+++ b/.github/scripts/spellcheck.words
@@ -117,6 +117,7 @@ cmake
 CMake's
 cmake's
 CMakeLists
+CNA
 CodeQL
 codeql
 CODESET
diff --git a/docs/VULN-DISCLOSURE-POLICY.md b/docs/VULN-DISCLOSURE-POLICY.md
index 5f10bc8b6f..f18db6d52f 100644
--- a/docs/VULN-DISCLOSURE-POLICY.md
+++ b/docs/VULN-DISCLOSURE-POLICY.md
@@ -59,7 +59,8 @@ announcement.
   [SECURITY-ADVISORY](https://curl.se/dev/advisory.html) for help on creating
   the advisory.
 
-- Request a CVE number from HackerOne
+- Request a CVE Id for the issue. curl is a CNA (CVE Numbering Authority) and
+  can request its own numbers.
 
 - Update the "security advisory" with the CVE number.