[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Rough Drafts of CVE Counting Documents

On 08/25/2016 12:10 PM, Kurt Seifried wrote:



> INC4: can we better define public/private? E.g. what if a medical 
device

>> maker plans to use a CVE for an issue that they will then inform 
ever user
>> of directly? Ditto for aerospace/SCADA/etc.
>>

>
> I'm not sure I understand what you would like to have happen.  Limited
> diffusion?  As a customer, I'd be confused to receive a notice 
referring to
> a CVE I couldn't lookup on a public web site, if that's what you 
meant.  If
> you meant embargoed issues, doesn't the CVE do that already?
>
>

So Red Hat has 1000+ CVEs we've assigned and are not in the MITRE 
database.
So that bridge has already been crossed. Also I'm assuming the CVE's 
will
be available in the vendor database/website, e.g.:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2438

We have a page with limited info (mostly because we're not affected =)

https://access.redhat.com/security/cve/cve-2002-2438

A CVE being in the MITRE or any public database is certainly nice to 
have,
especially for high profile issues, but I wouldn't make it a 
requirement.
The example you give does have public information at http://www.kb.cert.org/vuls/id/464113, so even though it's deplorable that the NVD, CVE and RedHat web sites don't have any information or even a link to that, I'm not distressed.
However, I'm disappointed by the implication, if true, that many of these 1000+ CVEs could all be "RESERVED" with no public explanation anywhere and with no intent to make them public at any point in the future. What was the point of using the CVE then? If there was a need for secrecy, I believe there should be some form of disclosure after some time. Think of it as declassification, which is of particular interest to historians and academics. 

Pascal
Page Last Updated or Reviewed: August 26, 2016