[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Question about robots.txt

Brian,

> That said, after Kurt's mail in December of 2015... in the last ~ 30 
> - 60 days, I noticed that MITRE finally changed that. Google is now 
> indexing and caching the CVE pages.

We made the change to allow indexing back in Feb of 2016, which was a 
few months after Kurt had pointed out the issue. We apologize to all 
for not replying to the original thread at that time. Dan also 
mentioned the same in a response to you back in April of this year 
(http://common-vulnerabilities-and-exposures-cve-board.1128451.n5.nabble.com/Re-CVENEW-New-CVE-CANs-2017-04-23-19-00-count-1-td722.html#a727).

> Just like you didn't ask us about the 3k+ RESERVED fiasco that got 
> several of us talking about this morning, figuring out how we'd 
> handle it. When NVD spoke up, we all collectively said "hell yeah!"
>
> The fact that NVD called you out, and has since said they will be 
> 'ignoring' those IDs, is also very significant in CVE history. This 
> is the first *real* break that NVD has had from CVE ever. There have 
> been other breaks the last year+, but they were more pedantic and 
> favored NVD > over MITRE/CVE, based on the time of entries becoming 
> public (e.g. NVD published before MITRE did).

We are not absolutely certain what concern you have in the case of the 
RESERVED CVE IDs moving to REJECT status. Please let us know if the 
following explanation does not clear up your concerns.

We have had multiple conversations during Board conference calls 
regarding the fact that there are many RESERVED CVE IDs within the 
current CVE list, and there was a general consensus that they should be 
cleaned up (i.e., REJECT or populate). As you are probably aware, there 
are multiple reasons that a CVE ID might be stuck in a RESERVED status. 
One of those reasons could be that the CNA obtained a block of CVE IDs, 
but never actually assigned some of those IDs to vulnerabilities.

As a first step in tackling the larger cleanup effort, we began 
contacting CNAs in March of this year to determine what CVE IDs they 
had not used from their previously assigned CVE ID blocks. All but a 
couple of CNAs responded and pointed out which CVE IDs were not used. 
In every case, the CVE ID in question moved from a status of RESERVED 
to a status of REJECT. The CVE IDs in question were moved to REJECT 
status earlier today.

You are correct and Dave at NIST had sent a message in regards to this 
first step and he was not clear on exactly what the end result would 
be. Dave and I spoke on the phone, we cleared up the gaps in 
understanding, and even decided to hold off for a day to give the NIST 
NVD folks a bit more time to analyze the impact. 

Dave can correct me if I'm wrong, but we didn't interpret the comment 
"ignored by the NVD" to mean that the NVD team would not publish the 
REJECT CVE entries. Our interpretation is that the NVD team does not 
see a need to analyze the entries and will simply publish them as is, 
with no significant effort on their part.

Regards,

Chris Coffin
The CVE Team

-----Original Message-----
From: jericho [mailto:jericho@attrition.org] 
Sent: Thursday, May 11, 2017 12:32 AM
To: Coffin, Chris <ccoffin@mitre.org>
Cc: Kurt Seifried <kseifried@redhat.com>; cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
Subject: RE: Question about robots.txt
Importance: High


On Tue, 8 Dec 2015, Coffin, Chris wrote:

: We made the choice a long time ago to not allow indexing of the
: cve.mitre.org web site. At least part of that decision was simply
: resource constraints ? when CVE was in its toddler years, search 
engine
: indexers were very resource intensive.

That 'decision' was based on crap excuses, even back then. =) As 
someone who ran two sites over the time MITRE ran CVE, and intensively 
watched logs on one of them (attrition.org, since 1998-10-07), search 
engines were NOT resource intensive back then. Attrition staff talked 
about that issue and didn't block any of our content in robots.txt 
because search engine spam was present, but not heavy. For those 
interested in Internet history...

forced ~$ more /home/admin/util/list.filter
72.14.203.104
forced.attrition.org
images.search.yahoo.com
casualgamer.org
myspace.com
stumbleupon.com
f-mai.gif
f-bak.gif
f-att.gif
thefiles.gif
panopta.com
divinelanguage.com
forced ~$ grep -i google /home/admin/util/list.* 
/home/admin/util/list.bot:googlebot.com
/home/admin/util/list.bot:Feedfetcher-Google
/home/admin/util/list.filter-old:google.com
/home/admin/util/list.filter-old:google.co.jp/search
/home/admin/util/list.filter-old:google.de
/home/admin/util/list.filter-old:google.fr
/home/admin/util/list.filter-old:google.co.uk
forced ~$

"list.filter-old" is from 2003-08-25. The limited set of Google domains 
should be very telling, given the year and traffic generated.

We actually *stopped* filtering Google at some point, while ignoring 
Yahoo early on. Why? Because they were simply not hammering sites and 
causing any undue burden, to a random desktop machine bought at the 
local computer store. Those were "ignore displaying those entries in 
our log parser", not "block them from reaching our web server" via 
iptables.

That was Attrition when it was run on a ~ $500 box bought in 1998 and 
hosted on a consumer link, compared to MITRE's resources and CVE 
contract money from the government at the time. So to be clear, MITRE's 
answer in 2015, is based on people forgetting what it was like in 1997 
- 1999.

That said, after Kurt's mail in December of 2015... in the last ~ 30 - 
60 days, I noticed that MITRE finally changed that. Google is now 
indexing and caching the CVE pages.

Thank you, as a long-time taxpayer funding MITRE's projects, including 
CVE, to the tune of $1,487,334,000 in MITRE income last year. Good to 
see you making these small changes to help the industry.

: We are currently re-examining this policy and will keep the Board
: posted.

Except... you didn't. Just like you didn't ask us about the 3k+ 
RESERVED fiasco that got several of us talking about this morning, 
figuring out how we'd handle it. When NVD spoke up, we all collectively 
said "hell yeah!"

The fact that NVD called you out, and has since said they will be 
'ignoring' those IDs, is also very significant in CVE history. This is 
the first *real* break that NVD has had from CVE ever. There have been 
other breaks the last year+, but they were more pedantic and favored 
NVD over MITRE/CVE, based on the time of entries becoming public (e.g. 
NVD published before MITRE did).

Brian
Page Last Updated or Reviewed: May 15, 2017