RE: CVE's for private/"Secret" issues

To: 'Kurt Seifried' <kseifried@redhat.com>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
Subject: RE: CVE's for private/"Secret" issues
From: Mike Prosser <mprosser@symantec.com>
Date: Thu, 19 Nov 2015 09:39:14 -0800
Accept-Language: en-US
acceptlanguage: en-US
Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=noneheader.from=symantec.com;
Delivery-Date: Fri Nov 20 09:40:28 2015
In-Reply-To: <CANO=Ty2_RSgjozk=_w11=MRjTcYnw-TDD3XkjiooVGtUqFSg_A@mail.gmail.com>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty2_RSgjozk=_w11=MRjTcYnw-TDD3XkjiooVGtUqFSg_A@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2
Thread-Index: AdEi7WBWP6p5Qr7aSRS8hKK7IST+VQAAcKig
Thread-Topic: CVE's for private/"Secret" issues

Kurt,

I know that TippingPoint ZDI (think they are still part of HP), for one, does work with the vendor on the issues they purchase from finders and the vendors, at least we do, assign CVEs to the issues reported to us by ZDI once we release an advisory. Not sure if they contact the Mitre team for CVEs for those vendors that don’t get their own though…

-Mike

Symantec Software Security Group

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Thursday, November 19, 2015 11:12 AM
To: cve-editorial-board-list
Subject: CVE's for private/"Secret" issues

Hey I was just reading

http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/#slide-2

TL;DR: another firm that acquires 0 day vulns, the news being they published their price chart.

There are now several firms like this (TIppingPoint, ImmunityInc, etc.) and I was wondering what, if any, process there is with respect to CVE assignments, my experience is that the sooner a CVE is assigned the better, ideally prior to public release if possible. Has Mitre reached out to these companies at all to help them understand the value of getting CVE's in advance and so on?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- CVE's for private/"Secret" issues
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: CVE's for private/"Secret" issues
Next by Date: Re: CVE's for private/"Secret" issues
Prev by thread: Re: CVE's for private/"Secret" issues
Next by thread: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread