[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Interim position on assigning CVEs for automated testing and otherlarge-scale vulnerability disclosures



All,

 

In the past, CVE has occasionally been requested to assign CVE-IDs for

submissions based on the results of automated testing or similar methods

that can produce a large number of findings. We will refer to these as

“large-scale requests.”  We have traditionally handled such requests on

a case-by-case basis, but with the increasing use of automated testing

tools and similar methods, we believe that large-scale requests for

CVE-IDs will become more frequent.

 

Steve Christey Coley is preparing a paper on this topic, but we wanted to

provide the Board with an interim statement to help clarify our position

and our planned response to large-scale CVE requests for the near term.

 

Our interim position is that we will not treat large-scale cve-assign

requests as substantially different from individual requests. By that,

we mean that the submitting researcher or discloser should provide

sufficient proof that a vulnerability exists for each individual finding

of their testing based on the same criteria we use for any other cve-assign

request. Also, the researcher/discloser should characterize each automated

finding in their request based on the underlying vulnerability type and

affected versions, which are important details for CVE abstraction that

influence the number of CVE-IDs to be assigned. If proof of vulnerability

and/or abstraction-relevant details are not available, then we may choose

to ask the requester to provide them, and/or de-prioritize any extensive

work that would be necessary for us to perform the relevant analysis

ourselves, thereby delaying our full response.

 

We understand and recognize that our interim position does not address

large-scale requests where sufficient information is provided to justify

assignment of a large number of CVE IDs. If such a case or cases arise

in the near future, then we will prioritize and handle them as they come.

Steve Christey Coley’s upcoming paper will address this and related issues.

 

Best Regards,

Steve Boyle and Steve Christey Coley

MITRE CVE

 


Page Last Updated or Reviewed: April 14, 2015