[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: upcoming intel issue

On Wed, 3 Jan 2018, Landfield, Kent wrote:

: On your second question, you have hit one of my sore points?  I am a 
: vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE 
: creating CVEs for my company?s issues except my PSIRT team.  Vendors 
: need to be given the first opportunity and only if they officially 
have 
: stated they are not going to issue an appropriate CVE in a clear and 
: precise way, should anyone ever get in the way of their alerting 
their 
: customers through an established advisory process.  There is NO 
: first-come-first-served with an authorized CVE CNAs.  Period.

First, I understand your point completely and appreciate it. Second, 
devil's advocate:

The first 24 hours of news coverage had the same bit; "Intel has not 
responded to our request for comment". The Wired article published 
about 
half an hour ago is the first I have seen to quote someone from Intel. 
Meanwhile, Apple already patched via workaround in macOS over a month 
ago, 
Linux patches have been public for some time, etc. A single article I 
have 
seen has given this vuln a name (Chipzilla), meaning the last 24+ hours 
this has been "the Intel bug" to some, "the Linux Kernel vulnerability" 
to 
others. Since CVE was designed in part to give a single unique 
identifier, 
it's worth discussing if high-profile issues w/o public vendor / CNA 
reference should use a different assignment process.

Thoughts?

Brian
Page Last Updated or Reviewed: January 04, 2018