[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Please welcome Kurt CVE to the CVE Editorial Board

On Fri, Nov 6, 2015 at 11:28 PM, jericho <jericho@attrition.org> wrote:
On Tue, 3 Nov 2015, Boyle, Stephen V. wrote:

: Kurt [..] has assigned 4,760 CVEs to date while at Red Hat.

Kind of surprised this number is so low honestly.

But, anyone on the board who works at a CNA, consider this please. He's
handing out assignments on oss-sec, which in 2015, is kind of the wild
west to a degree. This is not some researcher coming to your shop,
disclosing an issue in your product, where you have the most expertise.
Kurt is typically assigning IDs to an absurd amount of third-party
libraries, many of which your company uses. Even if you don't know it.

One note, Mitre has handled public CVE assignments on oss-security@ since the beginning of the year, Red Hat as a CNA (so myself, and now several other people) still handle internal Red Hat Open Source assignments, "private" assignments (people that email secalert@redhat.com directly for OpenSource issues) and "public but not well known" issues, e.g. if we find a git commit somewhere, but things like the Apache ChangeLog or PHP ChangeLog get handled publicly by Mitre. So (fortunately I think =) I'm assigning a lot fewer CVEs now then in the previous years.

So... welcome Kurt! I advocated for you to be on the board for almost
three years, and I apologize in advance. =)



Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 13, 2015