[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVEs listed incorrectly at MITRE as reserved

Kent asked:

> Is it not a part of the CNA issuing process to send MITRE the CVE related information when one is issued?
>... Are CNAs sending their assignments to you?

CNAs do not author their own CVE descriptions.  They also don't usually inform MITRE when they've published, but that isn't relevant to the RBP backlog.  We are usually aware when a reserved CVE has been published, because we monitor the sources that other CNAs already publish to (sometimes it's the CNAs themselves, Bugtraq, vuln DBs, etc.)

Just because a CNA assigns a CVE ID, that doesn't mean the CVE will be for a must-have product or will be listed in a full-coverage source.  Some CNAs provide CVEs to other parties that are only partial-coverage at best; e.g. Red Hat supports a lot of private coordination for many open source distros - not just their own - plus their role in assigning CVEs to many third-party packages on the oss-security mailing list.  MITRE itself is also the primary CNA for many CVE reservations that aren't for high-priority products or sources.

Once we're aware of the reserved CVE, MITRE is then responsible for populating (writing) the CVE description and linking to at least one reference.  It's often analytically expensive to resolve often-significant inconsistencies or errors, extract the relevant details, write the description, and map to references.  We also have other kinds of complexity, such as identifying duplicates or resolving inappropriate abstraction (i.e. SPLITs or MERGEs).

This analytical overhead has been a major contributor to our RBP backlog, in conjunction with the massive increase in CVEs being reserved in the first place due to the success of the distributed CNA model.  We have been increasing our productivity, which is why we are now able to reduce the backlog.

- Steve

Page Last Updated or Reviewed: October 03, 2014