[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)

To: jericho <jericho@attrition.org>
Subject: RE: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)
From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Fri, 12 May 2017 13:28:00 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Fri May 12 09:39:56 2017
In-reply-to: <alpine.LNX.2.00.1705112353090.32256@forced.attrition.org>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <000001d2caa5$3bd6c070$b3844150$@mitre.org> <alpine.LNX.2.00.1705112353090.32256@forced.attrition.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AdLKpS7UcGzASUjHTw+iQcID6M/7SQANrLYAABFOlvA=
Thread-topic: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)

> this kind of huge influx of CVEs could potentially break integrations 
> as much as a change in the ID scheme.

We expect that the number of CVEs produced will grow significantly as 
we continue to focus on federation and scaling the program. Can you 
provide some details regarding these integrations and how they might be 
affected? Also, I'd be curious to know what would be considered a large 
update. As we move forward and regularly produce more CVEs, the 
definition of large would probably change as well.

> In the future, such big events should come with a lot more public 
> warning.

We are happy to provide notifications via the CVE web site, Twitter, 
and LinkedIn channels for large or significant updates. What kind of 
timeframe were you thinking in regards to a warning?

Chris

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Thursday, May 11, 2017 11:55 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE Announce - May 11, 2017 (opt-in newsletter from the 
CVE website)
Importance: High

On Thu, 11 May 2017, CVE wrote:

: Welcome to the latest issue of the CVE-Announce e-newsletter. This 
email newsletter is
: designed to bring recent news about CVE, such as new website 
features, new CNAs, CVE in

[..]

: -------------------------------------------------------
: CVE-Announce e-newsletter/May 11, 2017
: -------------------------------------------------------
: 
: Contents:
: 
: 1. IMPORTANT: CVE Will Reject a Group of Unused CVE IDs on May 11

We received warning a day before you planned to do it. It was pushed an 
additional day due to NIST's concerns.

But I don't feel it is appropriate giving the rest of the industry a 
same-day notification of this. The fact that NIST said "whoa... hang 
on" 
along with some common sense says that this kind of huge influx of CVEs 
could potentially break integrations as much as a change in the ID 
scheme.

In the future, such big events should come with a lot more public 
warning.

Brian

References:
- Re: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)
  - From: jericho <jericho@attrition.org>

Prev by Date: Re: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)
Next by Date: Re: Current standards/criteria for 'Undefined Behavior'
Previous by thread: Re: CVE Announce - May 11, 2017 (opt-in newsletter from the CVE website)
Next by thread: many old IDs to reject
Index(es):
- Date
- Thread