[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Current States

To: Beverly Finch <beverlyfinch@lenovo.com>, "Coffin, Chris" <ccoffin@mitre.org>
Subject: Re: CVE Current States
From: "kseifried@redhat.com" <kseifried@redhat.com>
Date: Fri, 26 May 2017 10:32:54 -0600
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=redhat.com;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Tue May 30 07:46:59 2017
In-reply-to: <63507D25FF3F774F9AA912018147F1DB01085FB2A4@USMAILMBX01>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <MWHPR09MB14852CA28BDB4D4259BDB4CAA1FF0@MWHPR09MB1485.namprd09.prod.outlook.com> <CANO=Ty0SKo8LKeTwMCgGLuejpsFVexvLgXUvx22fwW4cqykwOw@mail.gmail.com> <63507D25FF3F774F9AA912018147F1DB01085F8B2F@USMAILMBX01> <MWHPR09MB148500311EC3B97AB29C0D83A1FC0@MWHPR09MB1485.namprd09.prod.outlook.com> <63507D25FF3F774F9AA912018147F1DB01085FB2A4@USMAILMBX01>
Reply-to: <kseifried@redhat.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 05/26/2017 07:59 AM, Beverly Finch wrote:
> Chris,
> 
>  
> 
> I prefer the second option.  Keep RESERVED as the state and add
> STATE_DETAIL. 
> 
> I can’t think of any other possible state details but we should 
> consider
> any reporting requirements/stats that may be helpful to Mitre or CNAs 
> in
> the future.
> 
>  
> 
> You mentioned ALLOCATED when talking about UNASSIGNED state.  Is
> ALLOCATED a state or would this be same as RESERVED?
> 
>  
> 
> For REJECT, if there is not a defined list of reject reasons, I
> encourage the team to define them (for consistency in reporting).  Add
> ‘other’ as a catchall for anything missed.  Some ‘fault’ needs to be
> associated with each reason in order to be actionable in the future.

One concern there is defining behavior. E.g.:

REJECT: something went wrong, don't use this.
RESERVED: this is planned for use, you will see it at some future point
(either PUBLIC or REJECTED)
PUBLIC: this is used and here's the info.

I can't think of an "Other" situation (either we're planning to use the
CVE, using it, or explicitly not using it). My thought is if we really
truly run into a situation that isn't covered we need to define it
officially, I don't want data that is not defined and requires human
interaction ideally.

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- CVE Current States
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CVE Current States
  - From: Kurt Seifried <kseifried@redhat.com>
- RE: CVE Current States
  - From: Beverly Finch <beverlyfinch@lenovo.com>
- RE: CVE Current States
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- RE: CVE Current States
  - From: Beverly Finch <beverlyfinch@lenovo.com>

Prev by Date: RE: CVE Current States
Next by Date: Re: CVE/CNA coverage
Previous by thread: RE: CVE Current States
Next by thread: Re: CVE/CNA coverage
Index(es):
- Date
- Thread