[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: upcoming intel issue

They are being done by Intel.  Publishing pending shortly.


On your second question, you have hit one of my sore points…  I am a vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE creating CVEs for my company’s issues except my PSIRT team.  Vendors need to be given the first opportunity and only if they officially have stated they are not going to issue an appropriate CVE in a clear and precise way, should anyone ever get in the way of their alerting their customers through an established advisory process.  There is NO first-come-first-served with an authorized CVE CNAs.  Period.


Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!



Kent Landfield





From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of Kurt Seifried <kurt@seifried.org>
Date: Wednesday, January 3, 2018 at 2:01 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: upcoming intel issue


So the thing that's in the news, assuming it has CVEs, can we make sure they are populated to the CVE database asap, and if Intel does not do we have a plan B (e.g. MITRE writes them up?). 


Also in general I think we should probably figure out some guidelines for these high visibility issues, e.g. encourage the original CNA to get them into the database asap, and have a plan B in case they don't (e.g. MITRE or someone else with info writes them up? first come first served? trusted parties only? or?). 



Kurt Seifried

Page Last Updated or Reviewed: January 04, 2018