[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

On 2015-11-26 09:36, Kurt Seifried wrote:

> Just as an aside, secalert@redhat.com <mailto:secalert@redhat.com> has
> also seen a number of requests in the form "we asked Mitre and now we're
> asking you" which I was unable to fulfill because the risk of a
> duplicate is to high

Just to pile on (again), CERT regularly gets requests for CVE IDs in
which the requester has asked MITRE/CVE and has not received a response.
 Also some vendor CNAs are, not performing, as Brian has mentioned.

Having CERT, or Kurt/OSS-SEC, or some other CNA assign more IDs is only
part of the problem.  As best I understand it:

1. CVE assigned
2. Publication/disclosure
3. MITRE/CVE populates entry (based on #2)
4. NVD and other downstream activity

If we increase #1, that just pushes work further down the list.

The current assignment model/process is under stress and probably needs
to change for CVE to remain broadly useful and relevant.

Any thoughts on how to go about this?  Starting with an evaluation of
current state/issues?


 - Art

Page Last Updated or Reviewed: November 27, 2015