[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fwd: CVE Question

On 2016-01-17 20:12, Kurt Seifried wrote:

> On Sun, Jan 17, 2016 at 11:15 AM, Radek <radekk@protonmail.com
> <mailto:radekk@protonmail.com>> wrote:
>
>     I asked on cve-assign@mitre.org <mailto:cve-assign@mitre.org> for
>     CVE numbers reservation a week ago and it's still without the
>     response. Is it a standard processing time? It would be great to
>     have CVE assigned before disclosing the vulnerability publicly.

> Why is this still a problem? Is anyone else getting mails like this
> still (e.g. CERT?). I figure for every one of these emails I get there
> must be more people that just give up =(.

We see similar requests, and have tried various machinations of
assignment policy.

1. For disclosures we are directly involved in, we assign (if no other
vendor/CNA is available, or if a vendor CNA does not assign when they
should...).

2. For high-confidence requests (typically researchers and other CSIRTs
we have experience with) we usually also assign.

3. For "hey, I found this vul and got it fixed and need a CVE" we
redirect to MITRE.  Even when the requester has already asked MITRE and
is asking us after.

Our difficulty with #3 is that it's non-trivial effort to ask for
details, sort out abstraction/content decisions, go back and forth with
the requester, then issue IDs.  I'm sure Jonathan understands this :)

We could potentially hand out IDs like candy (like Kurt!), but our
thinking was to limit our CNA scope to cases we are already close to,
and to not create more backlog for MITRE.

For those keeping track:  CVE requester --> Cisco | Symantec --> CERT
--> MITRE.

A couple things for the list Kent started:

* CVE assignment and CVE entry creation are distinct.

* The authority/distribution of CVE assignment across CNAs needs to be
clarified.

Regards,

 - Art
Page Last Updated or Reviewed: January 30, 2016