[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: What is the future of CVE - Scope, Volume & Quality?

Reading Mark's comments in his response so will add mine to his.  I personally no longer deal with directly with the cve-editorial board.  However, my team functions as the CNA for our own products so we work closely with the Mitre CVE team still.

2. What relationship should CVE have with any international effort (such as IVDA) to identify vulnerabilities disclosed in non-English based markets?

MP - I can only speak for our products but lots of them do require localization into several local languages depending on the specific product and the security issue being addressed.  So many of our disclosure dates are actually based on the availability of localized updates/patches for a "localized" product as well as the base English language release.

Mark's suggestion of regional CNAs for non-English language products isn't a bad one though coordination with and management of same may be a concern.  

As a CNA for Symantec product issues, one question we always ask a finder when implementing the initial coordination process on a reported issue is, "Do you intend to contact MITRE for a CVE ID or have you already contacted MITRE for a CVE? Or, would you rather we handle that?"  Surprisingly enough, we have had the occasional finder make their initial contact with us with a CVE ID already assigned even before we have verified the validity of their finding.  Usually though, we coordinate smoothly on assigning the CVE.  We have even assigned one of ours to multi-vendor issues as a result of on-going coordination during the resolution and remediation process. 

As Mark stated in his response, we too have found ourselves going to the content decision section on the Mitre page or firing off a "what-if" question to Steve.  Not sure it's a matter of training, rather, one of getting something in occasionally that makes you scratch your head.

We haven't had much of a problem with duplicates but that's required some vigilance on our part to ensure we are making the right, or best-guesstimate, content decision.  Also effective coordination with the finder or with the coordinating organization of a multi-vendor issue to ensure multiple CVEs aren't being assigned to the same issue requiring unraveling at some point.

Still reading Kent's point paper but he's making some valid points as well.


Mike Prosser
Product Security Team
Symantec Research Labs
Office of the CTO, Symantec Corporation 

Page Last Updated or Reviewed: November 06, 2012