[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non-public Sources of information

That makes a lot of sense to me.

Pascal

On Wed, 1 Apr 2015 10:39:39 -0400
"Boyle, Stephen V." <sboyle@mitre.org> wrote:

> Recently, two named sources of vulnerability information for CVE, Secunia and
> X-Force, have implemented login requirements, and have restricted which logins
> are allowed access. We recognize that such restrictions are part of a trend in
> which some sources are attempting to balance their desire to provide the
> public with useful vulnerability information with the fact that it is often
> very expensive and resource-intensive to curate such information.
> 
> As has been our documented practice, CVE can only refer to information that is
> publicly accessible and free for use by anyone. Any source referenced by CVE
> is free to implement any form of access control, such as a login, as long as
> the control (1) does not limit which people or organizations can use the
> source, and (2) does not impose any excessive inconvenience to the user.
> E.g., if any requester can create and obtain a login for otherwise
> unrestricted access, such as by providing an email address, CVE still
> considers the source to be "public."
> 
> If, however, access to the information is denied by the provider for any
> reason that MITRE determines is intended to limit who is allowed to access
> it, then the source is not considered "public" by CVE and will be not be
> used, even if CVE is allowed access while others are restricted. Similarly,
> any public source referenced by CVE cannot contain any restrictions for the
> sharing or reuse of its information, beyond the usual expectations that users
> include proper attribution to the source, avoid plagiarism or reposting, etc.
> Sources that are inherently open without restrictions, such as
> Full-Disclosure or Bugtraq, are presumed to have no access restrictions.
> 
> As a result of Secunia's and X-Force's decisions to restrict access to their
> vulnerability information, we wanted to formally notify the Board that CVE
> will no longer reference Secunia or X-Force in our entries. If their access
> policies change in the future such that they again become publicly
> accessible, then we will again reference their vulnerability information.
> 
> Please note that although OSVDB restricts access to its search functionality,
> CVE still considers OSVDB as a "public" source. While CVE no longer directly
> monitors OSVDB's site, since OSVDB allows people with interactive web
> browsers to access individual OSVDB entries, CVE is free to reference
> OSVDB entries as long as they are cross-referenced in some other source
> or disclosure that is publicly available.
> 
> MITRE is not considering the removal of previous entries in the CVE List that
> cite Secunia, X-Force, or other sources from the past that were originally
> public but then restricted, such as VUPEN.  The references were public at the
> time we associated them with the CVE entries and may serve as important
> correlating identifiers, or they acted as the primary or secondary source of
> information in the CVE description. Any such mass removal would affect
> thousands of CVE entries, which would have unexpected adverse impacts on
> downstream consumers who monitor and act on CVE changes.
> 
> Best Regards,
> The MITRE CVE Team
Page Last Updated or Reviewed: April 14, 2015