[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

On Thu, Nov 26, 2015 at 4:50 AM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:

Thank you Kurt, for responding to a need and making the CVE more relevant and usable.  CVE usability isn't just how IDs are referred to after assignments, but how quick and painless the assignment process can be.  Thanks to Kurt and Brian for making the scope of the problem obvious and easily understandable, with examples.  The board has had discussions in the past (many years ago) about quality vs number of identified CVE issues;  these tended to emphasize the need for quality.  However, CVE risks losing acceptance if it doesn't provide sufficient identifiers with a manageable latency.


Just as an aside, secalert@redhat.com has also seen a number of requests in the form "we asked Mitre and now we're asking you" which I was unable to fulfill because the risk of a duplicate is to high (whereas in a public form like OSS-SEC the chance of a duplicate is reduced because everyone can see the traffic/replies). I wasn't sure if people were simply getting impatient, but it seems like this is more normal than I'd hoped.

I know internally at Red Hat we have some SLA's for our security team, although we don't specifically have one for CVE assignments but the general rule is "1 business day, 2 max" which we usually meet unless it's a messy assignment and requires some back and forth. Perhaps an SLA for assignments (with some caveats for "difficulty" of assignment)? 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 27, 2015