[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list



On 2015-11-27 00:31, Kurt Seifried wrote:
> 
> On Thu, Nov 26, 2015 at 10:27 PM, Art Manion <amanion@cert.org
> <mailto:amanion@cert.org>> wrote:

>     The current assignment model/process is under stress and probably needs
>     to change for CVE to remain broadly useful and relevant.
> 
>     Any thoughts on how to go about this?  Starting with an evaluation of
>     current state/issues?

> So I know we have something like 1000+ assigned CVE's that are public
> and not in the database yet. So the backlog is real.

So that's an item under current state/issues.

> One thing I had suggested to Steve Christey ages ago was "lightweight
> CVEs", e.g. instead of a full write up, just at least give the url for
> the OSS-Security assignment, or the official vendor advisory/etc (for
> cases where I had privately assigned it for a project/etc.). At least
> this way people can track down some info on the CVE easily (you can
> Google, but you get a lot of "reserved CVE" hits you need to filter
> out). These lightweight entries could always be promoted to "full CVEs"
> later on if needed.

I generally like the idea (a speed/quality tradeoff), but let me suggest
some process -- figure out where CVE is and what problems it faces
before trying to solve them:

  http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/

Regards,

 - Art


Page Last Updated or Reviewed: November 27, 2015