[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Regarding CVE assignments on oss-sec mailing list

On Sun, 29 Nov 2015, Williams, Ken wrote:

: [...]
: > If CVE fails to provide IDs on a few issues, after three months, I will
: > personally lobby my company to publish advisories without an assignment,
: > and make it very clear that it was done because CVE chose not to assign.
: > It isn't fair that CVE holds up the coordinated disclosure process in
: > cases where the requesting party and vendor are not CNAs themselves. Given
: > that I suggested CVE expand the CNA body a while back, and that appears to
: > have fell on deaf ears, there is no excuse for MITRE at this point.
: [...]
:
: A disclosure process should never be held up by a pending CVE
: assignment.  Just go ahead and disclose and put "pending CVE assignment"
: on the CVE line.

Except, that is problematic for issues like Apache Commons. CVE's delay in
assigning, or clearly saying how assignments would be handled (e.g. one ID
vs one ID per vendor vs one ID per product) led to serious confusion
already. IBM started using Oracle's assignment in advisories before CVE
finally replied to IBM PSIRT instructing them to use their own. But the
damage is done, even with IBM's own ID, some internal divisions are still
using Oracle's assignment a week later [1].

This highlights the importance of timely assignments and/or direction from
CVE to the CNAs.

.b


[1] http://www-01.ibm.com/support/docview.wss?uid=swg1JR54748
Page Last Updated or Reviewed: December 01, 2015