[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

dispute resolution



We're repeatedly running into issues with how to handle disputes.  This 
should be expected with the increasing number of CNAs and federation.

A few recent examples:

"An interesting data point" thread

"Problematic assignments for subpar reports via CVE request form" 
thread (Lin Wang)

On 2017-12-06 10:00, Waltermire, David A. (Fed) wrote:
> Under #3 or as a separate item, I'd like to have us explore what the 
> workflow
> could be for submitting corrections to another organizations. For 
> example, what
> if the NVD finds a spelling error in a CVE entry description or a 
> fixed broken
> reference? How could we submit a pull request to kick off a workflow 
> to allow
> that feedback to be addressed by the appropriate party? What degree of
> automation could we use to support this?

While we will always need board and CNA discussions to work out 
emerging issues and policy and technology solutions, I suggest we look 
at something more distributed and lower effort.

I see at least two classes of dispute that get 
conceptually/subjectively difficult to resolve:

1. "not a vulnerability"

2. Split/merge

Here is just one idea.

Continue with the current assignment rules and CNA expansion (and 
expanding the git/github pilot).

For any dispute, flag the entry (possibly using the existing DISPUTED 
state/status, although I also want to review CVE states).  Along with 
the flag there needs to be a way to capture the nature of the dispute, 
possibly a short text/log entry, like "crash only."  Also the source of 
the dispute.

On ${date} Carsten disputes CVE-2016-LINWANG with reason "crash only, 
no evidence of security impact."

The rest of the CVE downstream ecosystem can keep right on moving.  
Those who want to treat disputed entries differently are free to do so.

And if/when a dispute is resolved, update the entry.

Who has dispute permissions?  Board members, CNAs, anyone?

For split/merge issues, the dispute logging feature could record the 
proposed relationships:

https://github.com/FIRSTdotorg/vrdx-sig-vxref-wip/blob/master/vxref/schema/vxref_schema_03.json

I'd suggest this as a board meeting agenda item, although I'm doubtful 
for the 12/13 meeting.

Regards,

 - Art


Page Last Updated or Reviewed: December 06, 2017