[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Regarding the Distributed Weakness Filing system

I don't know if you have seen this yet or not:

http://www.openwall.com/lists/oss-security/2016/03/08/2

TL;DR: In my personal life I work on other projects, one of them being vulnerability identifier related. 

First off: as Kurt Seifried the Red Hat employee I still continue to want to work with the CVE Board and Mitre to improve CVE and help move it forwards. However I obviously have some significant concerns, the worst of which can now be summarized as "Mitre, why won't you talk to us?". Myself, and other board members have raised a number of concerns, for which there has been no real response from Mitre. 

I have additionally learned (and confirmed publicly) that Mitre is drastically reducing the number of CVE assignments, with many researchers stating that they have been largely unable to get CVE's for approx. 6 months now. The reasons given for not giving CVE's include "that product is not covered", "Mitre does not cover web applications" and "The vendor declined to fix the vulnerability".

I have grave concerns and I suspect other board members do as well please speak up if you do. 

CVE is far to important to the computer industry for it to be allowed to fail.
 
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
Page Last Updated or Reviewed: March 08, 2016