[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Current States



I like that.  Will help fine-tune the reporting.

 

 

 

Regards,

 

http://lenovocentral.lenovo.com/marketing/branding/email_signature/images/gradient.gif

Beverly M Finch, PMP
PSIRT Program Manager

Product Security Office

7001 Development Drive

Office 3N-C1

Morrisville, NC  27560

Phone+1 919 294 5873
Emailbeverlyfinch@lenovo.com

Lenovo.com 
Twitter | Facebook | Instagram | Blogs | Forums

DifferentBetter-Pink

 

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Thursday, May 25, 2017 9:02 PM
To: Coffin, Chris
Cc: cve-editorial-board-list
Subject: Re: CVE Current States

 

Currently we have "STATE" in the "CVE_data_meta", can I suggest we add STATE_DETAIL and STATE_DESCRIPTION, e.g.:

 

"STATE": "REJECT",

"STATE_DETAIL": "DUPLICATE_ASSIGNMENT"

"STATE_DESCRIPTION": "it all went horribly wrong"

 

So basically we'd have to agree on the tags for STATE_DETAIL and then STATE_DESCRIPTION can be free form explanation of what happened for humans.

 

 

On Thu, May 25, 2017 at 4:21 PM, Coffin, Chris <ccoffin@mitre.org> wrote:

All,

 

As discussed in the Board meeting on 5/24, here are the current CVE states along with some descriptions (some exist in the CVE FAQ). In the case of POPULATED and UNASSIGNED, I don’t think we have ever treated these as states in the past, but I think it makes sense to do so for this exercise and moving forward.

 

UNASSIGNED: A CVE that has never been ALLOCATED or RESERVED. The CVE master list provides an error message in the case that someone attempts to view this CVE ID.

Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2001-10000

 

RESERVED: A CVE Identifier (CVE ID) is marked as "RESERVED" when it has been reserved for use by a CVE Numbering Authority (CNA) or security researcher, but the details of it are not yet populated.

Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-1253

 

REJECT: A CVE ID listed as "REJECT" is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the description of the CVE ID.

Reject reasons (not an inclusive list):

·       Duplicate assignment

·       Duplicate reservation

·       Duplicate Typo in Sequence or year

·       Mixed issues or Dual use

·       Merged (same vuln type/ versions)

·       Withdrawn by CNA (not a vuln)

·       CNA expired pool

Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8784

 

DISPUTED: When one party disagrees with another party's assertion that a particular issue in software is a vulnerability, a CVE ID assigned to that issue may be designated as being "DISPUTED". In these cases, CVE is making no determination as to which party is correct. Instead, we make note of this dispute and try to offer any public references that will better inform those trying to understand the facts of the issue.

Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8912

 

POPULATED: The CVE entry has been published with at least a minimum amount of detail and at least one public reference.

Example: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0002

 

 

Chris Coffin

The CVE Team



 

--


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
secalert@redhat.com


Page Last Updated or Reviewed: May 26, 2017