[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Updating the Products and Sources list.



So for Red Hat it is pretty simple: every single security vulnerability we deal with gets a CVE, be it externally found, internally found, no exceptions. As such at least one of the things listed in the Tier 3 (May Cover), Django, is embedded in several of our products (Subscription Asset Manager, Ceph, Red Hat OpenStack) so from Red Hat's perspective it is a "Tier 1" (Must Cover) from our perspective. 

Now speaking personally: a taxonomy is only as useful as it is complete. I fear Mitre is devaluing CVE by reducing coverage (especially of things currently covered). I feel like there is a failure to view the current CVE problems through any other lens then "Mitre assigns most of the CVEs and they must ALL be documented in the CVE Database". As long as this view persists I fear that CVE is ultimately doomed. We already have CNAs, and we already have a huge number of CVE's not in the database at all, and many CVE entries are not terribly helpful or useful as witnessed by the search:

http://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=unspecified

which results in 15,613 results. So I think it's safe to say we've already crossed the "not all CVE entries have to be perfect" bridge. 


--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: January 07, 2016