Non-public Sources of information

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Non-public Sources of information
From: "Boyle, Stephen V." <sboyle@mitre.org>
Date: Wed, 1 Apr 2015 10:39:39 -0400
Accept-Language: en-US
CC: "Boyle, Stephen V." <sboyle@mitre.org>
Delivered-To: coley@rcf-smtp.mitre.org
Delivery-Date: Wed Apr 1 10:39:58 2015
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Thread-Index: AdBsia3O8JvSjH0FSs6kbldTnavsRQ==
Thread-Topic: Non-public Sources of information

Recently, two named sources of vulnerability information for CVE, Secunia and

X-Force, have implemented login requirements, and have restricted which logins

are allowed access. We recognize that such restrictions are part of a trend in

which some sources are attempting to balance their desire to provide the public

with useful vulnerability information with the fact that it is often very expensive

and resource-intensive to curate such information.

As has been our documented practice, CVE can only refer to information that is

publicly accessible and free for use by anyone. Any source referenced by CVE

is free to implement any form of access control, such as a login, as long as the

control (1) does not limit which people or organizations can use the source,

and (2) does not impose any excessive inconvenience to the user. E.g., if any

requester can create and obtain a login for otherwise unrestricted access, such

as by providing an email address, CVE still considers the source to be “public.”

If, however, access to the information is denied by the provider for any reason

that MITRE determines is intended to limit who is allowed to access it, then

the source is not considered “public” by CVE and will be not be used, even if

CVE is allowed access while others are restricted. Similarly, any public source

referenced by CVE cannot contain any restrictions for the sharing or reuse of

its information, beyond the usual expectations that users include proper

attribution to the source, avoid plagiarism or reposting, etc. Sources that are

inherently open without restrictions, such as Full-Disclosure or Bugtraq, are

presumed to have no access restrictions.

As a result of Secunia’s and X-Force’s decisions to restrict access to their

vulnerability information, we wanted to formally notify the Board that CVE

will no longer reference Secunia or X-Force in our entries. If their access policies

change in the future such that they again become publicly accessible, then we

will again reference their vulnerability information.

Please note that although OSVDB restricts access to its search functionality,

CVE still considers OSVDB as a “public” source. While CVE no longer directly

monitors OSVDB’s site, since OSVDB allows people with interactive web

browsers to access individual OSVDB entries, CVE is free to reference

OSVDB entries as long as they are cross-referenced in some other source

or disclosure that is publicly available.

MITRE is not considering the removal of previous entries in the CVE List that

cite Secunia, X-Force, or other sources from the past that were originally public

but then restricted, such as VUPEN. The references were public at the time

we associated them with the CVE entries and may serve as important correlating

identifiers, or they acted as the primary or secondary source of information in the

CVE description. Any such mass removal would affect thousands of CVE entries,

which would have unexpected adverse impacts on downstream consumers who

monitor and act on CVE changes.

Best Regards,

The MITRE CVE Team

Follow-Ups:
- Re: Non-public Sources of information
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>