[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I agree with Mike,
The reason for having the various levels was to prevent someone from
abusing the system and potentially putting a lot of extra work on the
content team and editorial board. I don't see this as being a problem with
the team members here.
Ken
| -----Original Message-----
| From: owner-cve-editorial-board-list@lists.mitre.org
| [mailto:owner-cve-editorial-board-list@lists.mitre.org]On
| Behalf Of Mike
| Prosser
| Sent: Thursday, September 21, 2000 9:45 AM
| To: 'Steven M. Christey'; cve-editorial-board-list@lists.mitre.org
| Subject: RE: [CVEPRI] Handling new vulnerabilities discovered by Steve
| Chr istey
|
|
| I would think that since you are (aren't you?) announcing as
| a member of
| MITRE, even if you announce as an individual, that a certain
| level of trust
| must be give to the organization and through the organization
| to you. Any
| of us who have worked with you have various levels of trust
| we would assign
| you as an individual {8>). I believe there is a difference
| between you
| making your first vulnerability announcement and being an
| "unknown" party,
| at least to everyone who has been working with CVE.
| I personally have no problems with you requesting sufficent
| CAN reservations
| to cover the number of problems you have found. You
| obviously are doing the
| right thing as far as I am concerned in working closely with
| the vendor
| prior to making a "full" public disclosure.
|
| my $.02
|
| mike
|
| -----Original Message-----
| From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
| Sent: Wednesday, September 20, 2000 7:11 PM
| To: cve-editorial-board-list@lists.mitre.org
| Subject: [CVEPRI] Handling new vulnerabilities discovered by Steve
| Christey
|
|
| All:
|
| I recently discovered some new vulnerabilities in some software. I
| have been working with the software vendor to ensure that a fix is
| made available before I publicize it to the usual places. I also plan
| to include candidate numbers in my initial announcement.
|
| Due to the increased analysis going on behind the scenes for CVE
| candidates, as well as some other non-CVE work I'm involved in with
| respect to developing source code analysis tools, it is likely that I
| or another member of the CVE content team will discover more
| vulnerabilities in the future.
|
| There are some potential areas in which there may be a real or
| perceived conflict of interest that I wanted to review with Board
| members. Your feedback is appreciated, and you can reply directly to
| me if you wish to make private comments.
|
| 1) I am somewhat concerned that if I disclose these vulnerabilities,
| then it may discourage others from requesting CVE candidate numbers
| from me in the future. Some people may fear that if they provide
| me with details when requesting a candidate, that I could turn
| around and announce it, then claim that I was the discoverer. This
| is a concern because we will be opening candidate reservation
| (formerly called private candidate assignment) up to more people in
| the coming months.
|
| I assume that Board members would not have this problem of trusting
| me :-) However, candidate reservation will be available to anyone
| who asks, including individuals who may not trust me. If such an
| event were to theoretically happen, it would be my word against
| theirs.
|
| A mitigating factor in this is that I would expect to personally
| notify and work with vendors on all newly discovered
| vulnerabilities, in which case the vendor could be a neutral third
| party. In addition, those who request candidate numbers do not
| necessarily need to provide me with any details.
|
| 2) Diligence Level 1 for CVE candidate reservation allows the
| assignment of 1 CVE candidate number to an unknown party. (See
| http://cve.mitre.org/board/archives/2000-05/msg00179.html). Since
| I have not announcced any vulnerabilities in the past, in that
| sense I am an unknown party, and my diligence level would be 1.
| However, in the case of my discovery, 2 separate vulnerabilities
| will be disclosed. To be established at diligence level 2,
| however, I would need to have announced at least 3 new security
| problems.
|
| Should an exception be made for "trusted people who haven't
| announced 3 new security vulnerabilities" (assuming I'm trusted ;-)
| Or should I be forced to only use one candidate? Does anybody care
| about diligence levels anyway?
|
| 3) Regardless of how I obtain a candidate number before announcement,
| the candidate will move through the remainder of the Editorial
| Board review process like any other candidate, subject to the same
| voting requirements as others.
|
| Let me know what you think. I believe the vendor will have the fixes
| ready in a few days.
|
| Thanks,
- - Steve
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.3 for non-commercial use <http://www.pgp.com>
iQA/AwUBOcoVE3fba3jWxdCmEQLwgQCgjbGDKfDqJoPm0fBqTb9rt+IvFBAAoJYb
aWYw0LI3w28FTNbKSRXrXn4F
=x3QX
-----END PGP SIGNATURE-----