[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

To: Art Manion <amanion@cert.org>
Subject: Re: CVE for hosted services
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Wed, 22 Feb 2017 16:05:34 -0500
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;mitre.org; dkim=none (message not signed) header.d=none;
Cc: Kurt Seifried <kseifried@redhat.com>, "Andy Balinsky (balinsky)" <balinsky@cisco.com>, "Landfield, Kent B" <kent.b.landfield@intel.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Wed Feb 22 16:28:46 2017
In-reply-to: <ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com> <379DDB8A-F1D2-4E4B-9307-CFBFDB0521F5@intel.com> <8942442A-17E2-4EEB-9943-648F27125AA6@cisco.com> <079d4575-d5ef-be7c-bdfb-f817e625b02e@cert.org> <CANO=Ty052fUY+BUC2zziFeiJ=cBPQWUbQozm-9ymKDkBuxo2Xg@mail.gmail.com> <ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org>
Reply-to: <pmeunier@cerias.purdue.edu>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2

I'm afraid that the description of the entries, for issues on services
like facebook.com, would be typically very vague and unverifiable.  I'm
rather annoyed by existing entries that read like "a problem in X, but
different from CVE-1234-5678 and CVE-1234-7890".  What is the issue?
What lessons could be learned from this?  What should we teach not to
do, or teach to do better?  No idea.

Pascal

On Wed, 2017-02-22 at 15:38 -0500, Art Manion wrote:
> Some thoughts based on today's board meeting.
> 
> I consider CVE's primary purpose as identification.  There's a good 
> bit
> of work that goes into just doing identification.  Information
> sharing/publishing/cataloging takes work too.  Identification/naming 
> is
> infrastructural and enables many additional functions.
> 
> "Vulnerability" is often abstract and subjective.
> 
> Software and tech change quickly.  The definition/boundary of what 
> "we"
> "collectively" call vulnerabilities evolves.  The current discussion 
> (1)
> started around the idea of assigning CVE IDs to web/service
> vulnerabilities, which I consider natural evolution.
> 
> Lots of discussion around the definition/boundary of "vulnerability."
> 
> Also a separable discussion (2) about the use of CVE IDs for
> internal-only, non-public issue tracking.  Could an organization use 
> CVE
> to track vulnerabilities with no expectation of publishing or sharing?
> Does an organization want to?
> 
> To try to narrow down the services discussion (1), I'll suggest:
> 
> It should be permitted to assign CVE IDs to common web application
> vulnerabilities in specific sites/services (e.g., facebook.com the 
> site,
> not WordPress the product).  "Common web application vulnerabilities"
> means things in OWASP/CWE like XSS, SQLi, CSRF.  Consider this a use 
> case.
> 
> There is no requirement for any provider, vendor, or CNA to try to be
> comprehensive.
> 
> Regards,
> 
>  - Art
>

Follow-Ups:
- Re: CVE for hosted services
  - From: jericho <jericho@attrition.org>

References:
- CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Re: CVE for hosted services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>
- Re: CVE for hosted services
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>

Prev by Date: Re: CVE for hosted services
Next by Date: Re: CVE for hosted services
Previous by thread: Re: CVE for hosted services
Next by thread: Re: CVE for hosted services
Index(es):
- Date
- Thread