[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Discussion of Well-Formed CVE Requests

On 2016-05-12 20:18, Kurt Seifried wrote:

>     
> <http://cveproject.github.io/docs/requester/reservation-guidelines.html>____

> So for the DWF handling of Open Source vulnerabilities my plan is
> currently for the general case:
> 
> Minimum required for CVE:
> -Software name (and/or URL if it's a common name used more than once)
> -Vulnerable version (one or more)
> -Base flaw (CWE) or working reproducer that reliably triggers it or 
> some
> decent description of the flaw (do X/Y/Z and this weird thing happens
> that has a security impact)

I was thinking that decent description becomes the CVE name/title?  Also
a title name should be required, even if there's also a good CWE match.
Something like "Vendor product (component) has a CWE-123."  Encourage
good titles but accept anything reasonable.

Is the above enough for MITRE to import and create a CVE entry?  I think
currently a somewhat trusted/authoritative public reference is also
required?

> Strongly required for CVE (not mandatory, but there better be a good
> reason for not having these):
> -Affected component (e.g. function name, URL in web app, etc.)
> -Link or example of vulnerable code or a link or example of the code 
> fix
> -What the security impact is (AIC?) if you can't explain what
> exploitation accomplishes we have a problem
> 
> Requested for CVE (it'll speed things up):
> -Fixed version/commit
> -CVSSv2/3 scoring information

And all the above would be implemented in a DWF CSV row and collection
of artifacts?  Require minimal JSON file?

 - Art
Page Last Updated or Reviewed: May 13, 2016