[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Regarding CVE assignments on oss-sec mailing list

To: jericho <jericho@attrition.org>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
Subject: RE: Regarding CVE assignments on oss-sec mailing list
From: "Williams, Ken" <Ken.Williams@ca.com>
Date: Sun, 29 Nov 2015 15:11:20 +0000
Accept-Language: en-US
Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=noneheader.from=ca.com;
Delivery-Date: Sun Nov 29 18:52:51 2015
In-Reply-To: <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: NSPM
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:23
SpamDiagnosticOutput: 1:2
Thread-Index: AQHRKA9Iy6+JFOBGy0u4Cx99OZ5F3J6t1v0AgAVHXgA=
Thread-Topic: Regarding CVE assignments on oss-sec mailing list

> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of jericho
> Sent: Thursday, November 26, 2015 12:28 AM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: Regarding CVE assignments on oss-sec mailing list
[...]
> If CVE fails to provide IDs on a few issues, after three months, I will
> personally lobby my company to publish advisories without an assignment,
> and make it very clear that it was done because CVE chose not to assign.
> It isn't fair that CVE holds up the coordinated disclosure process in
> cases where the requesting party and vendor are not CNAs themselves. Given
> that I suggested CVE expand the CNA body a while back, and that appears to
> have fell on deaf ears, there is no excuse for MITRE at this point.
[...]

A disclosure process should never be held up by a pending CVE assignment.
Just go ahead and disclose and put "pending CVE assignment" on the CVE line.

--
kw

Follow-Ups:
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- RE: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>

References:
- Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>

Prev by Date: Re: Major outstanding CVE requests
Next by Date: CVE Issues
Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread