Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Wow. Such the fire storm. I'll try to stay close to Steve's
original specific concerns and I'll toss in my 2 cents on one
of the larger issues only at the end.
Steve Christey wrote:
> However, candidate reservation will be available to anyone
> who asks, including individuals who may not trust me. If such an
> event were to theoretically happen, it would be my word against
Welcome to the club. Hypothetically, MITRE and say, BindView, could
be accused of collusion by somebody if
1) BindView requests a CAN number
2) MITRE reserves the CAN number for BindView
3) Subsequently a third party requests a CAN for the same issue
4) MITRE denies the request (on behalf of BindView)
So, trust is an issue regardless of whether or not MITRE is
As you correctly noted, the real problem is here is the lack
of trust in MITRE by the third party.
"Steven M. Christey" wrote:
> 2) Diligence Level 1 for CVE candidate reservation allows the
> assignment of 1 CVE candidate number to an unknown party. (See
At the risk of reviving discussions from past Editorial Board
meetings, I would assert that the "trust" issue is deeply
compounded if and when MITRE begins to reserve CAN numbers
for folks not on the CVE board. Let me explain...
David LeBlanc wrote:
> Academia (and I can speak from experience on this one, as my name can
> properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most
Allow me to finish this sentence to suit my own needs!
Academia is easily one of the most experienced in dealing with these
sorts of issues. We should borrow heavily from them if it helps.
Typically, academic journals will only consider submissions from people
with the proper credentials. And note, they do so at the risk
of complaints by the non-credentialed that in so doing, the journals
are denying a voice to dissenting views and serve only to protect
the dominant orthodoxy or meta-narrative [insert stock, post-modern
deconstructionist rant here if you want ;^].
Applying this observation to the CVE process, I would suggest that it
makes sense to only accept CAN requests from those who have the peer
accepted credentials of Editorial Board membership. This will go a
long way to take care of any concerns about MITRE's handling of these
matters as it would guarantee a certain level of professionalism for
all involved and thus, a higher level of trust.
If we are concerned with the CVE process becoming too closed to
to the general public, then we can rely on certain identified Board
Members to be the publicly identified "gatekeepers" who can request
CANs in proxy for those outside of the Board. It also makes sense
to me separate this gatekeeping function from the CAN assignment
function played by MITRE. That is, I would suggest that MITRE NOT
directly assign CANs to people or orgs not on the Editorial Board.
NOTE: Presently, *any* Editorial Board member can request a CAN
number in proxy for somebody outside of the board!
Consider, as a board member I could request a CAN number and nobody
on the board, including MITRE, really needs to know where or how I
got the info or who did the initial discovery. The discoverer, if
different from me, is trusting me with the info and I as her proxy,
am trusting MITRE and the Editorial Board to handle the info
appropriately. My point here is that currently, all board members
could, at this very moment, be requesting CAN numbers in proxy for
outsiders and none of us have the ability to know the difference, one
way or another.
This is fully appropriate, imo. I trust my fellow board members
and as long as they feel the issue warrants a CAN number, they are
entitled to request the CAN number from MITRE.
Going back to the academic journal example, an academic journal
may not even consider a paper from David LeBlanc's mom, but they
might from her son because he has the peer accepted credentials
of a terminal degree in his field. More importantly to my point,
they would consider the paper even if it contained his mom's ideas.
David would merely be her proxy.
[FWIW: A Budget Of A Trisection from the Springer-Verlag library makes a
great read on the subject of non-credentialed mathematical crack-pots.
It may shed some light on the noise we see in mailing lists.]
============= TANGENTIAL COMMENTARY BEGINS HERE ================
For those debating the relative merits of security advisories,
I offer up the following snippets from an article recently
written by Al Berg and published by ICSA in Information
"When you buy a vulnerability scanner, you are buying expertise...
Hence, before choosing a vulnerability-scanning product, you should
take a careful look at the team supporting it... A good indicator of
the technical savvy of a vendor's team is the number and quality of
papers, advisories and tools it has authored."
One could challenge Mr. Berg's assertion by citing a chicken and
egg paradox. To whit, has Mr. Berg merely bought into the marketing
hype of vendor advisories hook, line and sinker? Or, are advisories,
the quality of the research team and the quality of the tools
directly related? It's an interesting question but it is totally
missing the point.
Whether or not they have real technical merit, security advisories
are an established feature in the marketplace. To deny this is
to ignore market realities. Until that reality changes, they have
Dave Mann || e-mail: firstname.lastname@example.org
Senior Security Analyst || phone: 508-485-7737 x254
RAZOR Security Team || cell: 617-968-2697
BindView Corporation || fax: 508-485-0737