[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey

I would think that since you are (aren't you?) announcing as a member of
MITRE, even if you announce as an individual, that a certain level of trust
must be give to the organization and through the organization to you.  Any
of us who have worked with you have various levels of trust we would assign
you as an individual {8>).  I believe there is a difference between you
making your first vulnerability announcement and being an "unknown" party,
at least to everyone who has been working with CVE.
I personally have no problems with you requesting sufficent CAN reservations
to cover the number of problems you have found.  You obviously are doing the
right thing as far as I am concerned in working closely with the vendor
prior to making a "full" public disclosure.

my $.02


-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Wednesday, September 20, 2000 7:11 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: [CVEPRI] Handling new vulnerabilities discovered by Steve


I recently discovered some new vulnerabilities in some software.  I
have been working with the software vendor to ensure that a fix is
made available before I publicize it to the usual places.  I also plan
to include candidate numbers in my initial announcement.

Due to the increased analysis going on behind the scenes for CVE
candidates, as well as some other non-CVE work I'm involved in with
respect to developing source code analysis tools, it is likely that I
or another member of the CVE content team will discover more
vulnerabilities in the future.

There are some potential areas in which there may be a real or
perceived conflict of interest that I wanted to review with Board
members.  Your feedback is appreciated, and you can reply directly to
me if you wish to make private comments.

1) I am somewhat concerned that if I disclose these vulnerabilities,
   then it may discourage others from requesting CVE candidate numbers
   from me in the future.  Some people may fear that if they provide
   me with details when requesting a candidate, that I could turn
   around and announce it, then claim that I was the discoverer.  This
   is a concern because we will be opening candidate reservation
   (formerly called private candidate assignment) up to more people in
   the coming months.

   I assume that Board members would not have this problem of trusting
   me :-) However, candidate reservation will be available to anyone
   who asks, including individuals who may not trust me.  If such an
   event were to theoretically happen, it would be my word against

   A mitigating factor in this is that I would expect to personally
   notify and work with vendors on all newly discovered
   vulnerabilities, in which case the vendor could be a neutral third
   party.  In addition, those who request candidate numbers do not
   necessarily need to provide me with any details.

2) Diligence Level 1 for CVE candidate reservation allows the
   assignment of 1 CVE candidate number to an unknown party.  (See
   http://cve.mitre.org/board/archives/2000-05/msg00179.html).  Since
   I have not announcced any vulnerabilities in the past, in that
   sense I am an unknown party, and my diligence level would be 1.
   However, in the case of my discovery, 2 separate vulnerabilities
   will be disclosed.  To be established at diligence level 2,
   however, I would need to have announced at least 3 new security

   Should an exception be made for "trusted people who haven't
   announced 3 new security vulnerabilities" (assuming I'm trusted ;-)
   Or should I be forced to only use one candidate?  Does anybody care
   about diligence levels anyway?

3) Regardless of how I obtain a candidate number before announcement,
   the candidate will move through the remainder of the Editorial
   Board review process like any other candidate, subject to the same
   voting requirements as others.

Let me know what you think.  I believe the vendor will have the fixes
ready in a few days.

- Steve

Page Last Updated or Reviewed: May 22, 2007