[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

To: "Williams, Ken" <Ken.Williams@ca.com>
Subject: Re: Regarding CVE assignments on oss-sec mailing list
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Mon, 30 Nov 2015 13:05:26 -0500
Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=cerias.purdue.edu;
CC: jericho <jericho@attrition.org>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Mon Nov 30 15:05:23 2015
In-Reply-To: <CO1PR01MB110EF47E414E26C0A99CB1AF1010@CO1PR01MB110.prod.exchangelabs.com>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <CO1PR01MB110EF47E414E26C0A99CB1AF1010@CO1PR01MB110.prod.exchangelabs.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2

On Sun, 29 Nov 2015 15:11:20 +0000
"Williams, Ken" <Ken.Williams@ca.com> wrote:

> > From: owner-cve-editorial-board-list@lists.mitre.org
> > [mailto:owner-cve- editorial-board-list@lists.mitre.org] On Behalf
> > Of jericho Sent: Thursday, November 26, 2015 12:28 AM
> > To: cve-editorial-board-list
> > <cve-editorial-board-list@lists.mitre.org> Subject: Re: Regarding
> > CVE assignments on oss-sec mailing list
> [...]
> > If CVE fails to provide IDs on a few issues, after three months, I
> > will personally lobby my company to publish advisories without an
> > assignment, and make it very clear that it was done because CVE
> > chose not to assign. It isn't fair that CVE holds up the
> > coordinated disclosure process in cases where the requesting party
> > and vendor are not CNAs themselves. Given that I suggested CVE
> > expand the CNA body a while back, and that appears to have fell on
> > deaf ears, there is no excuse for MITRE at this point.
> [...]
> 
> A disclosure process should never be held up by a pending CVE
> assignment. Just go ahead and disclose and put "pending CVE
> assignment" on the CVE line.
> 
> --
> kw
> 

Adding a CVE ID 3 months after the publication of an advisory should
only help historians.  In my mind that defeats a main purpose of the
CVE, which is to know if Alice, Bob and Charlie are talking about the
same issue or not.

Pascal

Follow-Ups:
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Art Manion <amanion@cert.org>

References:
- Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>
- RE: Regarding CVE assignments on oss-sec mailing list
  - From: "Williams, Ken" <Ken.Williams@ca.com>

Prev by Date: Re: CVE Issues
Next by Date: Re: Regarding CVE assignments on oss-sec mailing list
Prev by thread: RE: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread