[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

To: Kurt Seifried <kseifried@redhat.com>, Pascal Meunier<pmeunier@cerias.purdue.edu>
Subject: Re: Regarding CVE assignments on oss-sec mailing list
From: Art Manion <amanion@cert.org>
Date: Fri, 27 Nov 2015 00:27:19 -0500
Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=cert.org;
CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Fri Nov 27 08:58:27 2015
In-Reply-To: <CANO=Ty2qHPL4HhHERe3=P6kHMxxQeuqhxct2TZWG4r0PVG7Bfg@mail.gmail.com>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <5656F1FD.2070107@cerias.purdue.edu> <CANO=Ty2qHPL4HhHERe3=P6kHMxxQeuqhxct2TZWG4r0PVG7Bfg@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

On 2015-11-26 09:36, Kurt Seifried wrote:

> Just as an aside, secalert@redhat.com <mailto:secalert@redhat.com> has
> also seen a number of requests in the form "we asked Mitre and now we're
> asking you" which I was unable to fulfill because the risk of a
> duplicate is to high

Just to pile on (again), CERT regularly gets requests for CVE IDs in
which the requester has asked MITRE/CVE and has not received a response.
 Also some vendor CNAs are, not performing, as Brian has mentioned.

Having CERT, or Kurt/OSS-SEC, or some other CNA assign more IDs is only
part of the problem.  As best I understand it:

1. CVE assigned
2. Publication/disclosure
3. MITRE/CVE populates entry (based on #2)
4. NVD and other downstream activity

If we increase #1, that just pushes work further down the list.

The current assignment model/process is under stress and probably needs
to change for CVE to remain broadly useful and relevant.

Any thoughts on how to go about this?  Starting with an evaluation of
current state/issues?

Regards,

 - Art

Follow-Ups:
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
Next by Date: Re: Regarding CVE assignments on oss-sec mailing list
Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread