[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNAs using CVE IDs for Internal Bug Tracking

On Fri, 24 Feb 2017, Coffin, Chris wrote:

: As part of the Feb 22 CVE Board call, the Board discussed CNAs using 
CVE 
: IDs as part of their internal bug tracking. Specifically, when 
assigning 
: CVE IDs early in the vulnerability management process by the CNA, CVE 
: IDs may be assigned to issues where the details are not fully 
understood 
: yet (e.g., the issue is later found to not be a vulnerability, 
multiple 
: vulnerabilities turn out to be one, etc.) or for which there is never 
an 
: intention to make them public. We know there are software maintainers 
: that would like to function in this way. CVE would like to reach out 
to 
: the Board as a whole and CNAs to better inform any decision made 
: regarding whether this should be allowed.

To me, this is a pretty simple 'fix' based on dealing with most of the 
CNAs in a variety of ways, including reporting dozens of vulns.

: Some CNAs currently assign CVE IDs as a final step before 
publication, 

e.g. Oracle. I have traded mails with Bruce about this (and after our 
emails, they are evaluating my feedback), saying that I do not agree 
with 
this policy (and others pertaining to CVE assignment). One thing he and 
others bring up is what you did above. Assigning before details are 
figured out or the issue is validated. The easy fix to that is assign 
as 
soon as the vendor confirms it is a valid issue that warrants a CVE.

That will put the assignment somewhere between day 1 (reporting) and 
day X 
(disclosure) that is not on day X or day X-1.

So I vote for flexibility... but I strongly vote against blindly 
assigning 
on day 1, and I strongly vote against assigning day X.

.b
Page Last Updated or Reviewed: February 25, 2017