Re: Regarding CVE assignments on oss-sec mailing list

[Pascal Meunier <pmeunier@cerias.purdue.edu>]

On 11/26/2015 01:27 AM, jericho wrote:
> This should be a critical issue to the board, as this is alienating
> companies that have declared themselves "CVE compatible".

This is extremely concerning.  I, and I believe the entire board, would 
like to see all software security advisories in the world to include CVE 
IDs.  That puts the assignment on the critical path in the vulnerability 
disclosure and repair process.  Assignment delays mean delays in 
disclosures, advisories, and fixes, that a public disclosure will be 
more likely to happen before a fix or workarounds are ready, or that 
people will make more money off the insecurity of others.  Delays mean 
people stay insecure longer.  For CVE to be accepted on the critical 
path of time-sensitive professional industry processes, it should 
provide some sort of response time guarantee.

I suggest that:

1. MITRE either accept assignment requests with deadlines, or that it 
removes itself from the critical path, designating CNAs and referring 
all such requests to CNAs that can handle deadlines.

2. MITRE monitor and escalate the priority given to languishing issues, 
or explicitly give up on them.

3. MITRE automatically make assignment requests made to MITRE available 
for other CNAs to handle, with thanks, if they so desire after a certain 
amount of time, or if the issue was abandoned as per #2.

It sounds like technical resources and competency are present internally 
at MITRE but mismanaged, or the internal culture and incentive structure 
at MITRE is a mismatch for the reproducible, assured handling of 
time-sensitive requests.

If MITRE wants to remain on the critical path, it perhaps should explain 
to the board how CVE assignments are tracked and prioritized?  Does 
MITRE use an aging process increasing the priority of assignments that 
have been languishing, especially increasing it faster if the assignment 
is straightforward?  Does MITRE have internal tracking and metrics so 
that such a process could be used?  Are people held accountable 
internally if an issue languishes, and is there an escalation process?

Thank you Kurt, for responding to a need and making the CVE more 
relevant and usable.  CVE usability isn't just how IDs are referred to 
after assignments, but how quick and painless the assignment process can 
be.  Thanks to Kurt and Brian for making the scope of the problem 
obvious and easily understandable, with examples.  The board has had 
discussions in the past (many years ago) about quality vs number of 
identified CVE issues;  these tended to emphasize the need for quality. 
  However, CVE risks losing acceptance if it doesn't provide sufficient 
identifiers with a manageable latency.

Pascal