[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please welcome Kurt Seifried to the CVE Editorial Board

On 2015-11-04 09:26, Kurt Seifried wrote:

> One thing I do know is some of the external issues facing CVE (e.g.
> people asking for CVE's on oss-sec that then take a while), I was
> wondering if there are specific internal issues/challenges, e.g. are the
> requests taking a long time/eating up resources because the requests are
> poor? I often bounce private CVE requests back with "I need more info,
> specifically X/Y/Z", and have been very firm with fuzzing reports (I
> need minimized test cases and root cause analysis, not a pile of 100
> text files that crash a command line app, and as it turns out that's all
> the do). 

We (at CERT/CC) face similar issues in our CNA role.  We get researchers
asking for a CVE ID for legitimate, but low severity/impact
vulnerabilities that we otherwise would not handle or publish.  One
option is to redirect the researcher to cve-assign, which sometimes
comes back as "I already asked them and didn't get an answer so I'm
asking CERT."

I believe that CVE looks for a reasonably trusted public source of
information (this might get to the sources and products lists) on which
to base a CVE ID assignment and entry.  So a researcher publish
themselves or drop mail on full-disclosure might not be enough to
support CVE ID assignment and writeup (in the case that neither CERT nor
the vendor publish).

While I support the idea that every vulnerability should have an
identifier -- ideally a CVE ID -- there are tradeoffs with quality,
quantity/scope/coverage, assignment speed, and resources.  It may be
that working policy is that certain vulnerabilities just don't get CVE
IDs?  Should a CNA (CERT) shunt requests to cve-assign or just say "no?"


 - Art

PS, Welcome Kurt!

Page Last Updated or Reviewed: November 12, 2015