[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Fwd: RE: Delays with numerous CVE-IDs assignments (fwd)

Following up on Kurt's mail.

I'd ask that MITRE respond in a fashion that does not blame the CVE 
Editorial Board for these delays, and outright refusals to issue IDs.

Please note that MITRE also refused to issue IDs to HTBridge for 
vulnerabilities in OsCommerce, with over 250,000 deployed stores, calling 
it "out of scope", as seen below.


This thread clearly shows that the Editorial Board were not given a real 
choice as far as sources, just picking the most important of a tiny subset 
of sources. To wit:

    As you consider these groups, understand that we are discussing
    prioritization, not feasibility.  It may be the case that CVE's current
    practices will need to be changed to provide the stated coverage goals
    for some of these sources.  We'll address that issue in later email

    We'll give some indications as to why we think the second group should
    be only partially covered below.

MITRE's failure or unwillingness to issue IDs is not really as "agreed 
upon with the CVE Editorial Board". We were given a few absolutely 
horrible options to pick from, and now you claim to be enforcing what we 
agreed on? That is shifting blame entirely.

Next, consider that I emailed CVE-assign about a potential duplicate 
assignment on 2016-01-29, received an auto-reply of sorts on 2016-02-02, 
had to poke MITRE again on 2016-03-02 to remind them that the two vendors 
in question were IBM and Apache, both on the primary list. Only then did 
they reply with the details needed to help figure out the confusion in 
assignment, which is still outstanding (but now squarely looking to be on 
the shoulders of the researcher, not MITRE or a CNA).

Further note that the archives are not updating, magically again, when a 
negative post about the MITRE process appears. It's getting hard to write 
this off as coincidence.


-------- Forwarded Message --------
Subject: RE: Delays with numerous CVE-IDs assignments
Date: Thu, 18 Feb 2016 23:01:37 +0000
From: Coffin, Chris <ccoffin@mitre.org>
CC: CVE ID Requests <cve-assign@mitre.org>

I am very sorry for the delays in responding to these requests. The CVE 
team is actively working towards providing more timely responses to all 
CVE-related communications.

The MITRE CVE team has started enforcing the scope and coverage 
requirements previously agreed upon with the CVE Editorial Board, and 
outlined in http://cve.mitre.org/cve/data_sources_product_coverage.html. 
MITRE and the CVE Editorial Board agreed upon this scope several years 
ago, but only recently put it into effect by declining to assign CVE IDs 
to products that are out of scope.  We are currently working with the CVE 
Editorial Board to define a more up to date list of products, as well as a 
process that would allow products to be added or subtracted as 
appropriate, but do not know when this will be completed.

With the exception of the Exponent CMS issue that was already assigned a 
CVE-ID, the listed advisories affect products that do not appear within 
our published or in-development products lists and would therefore be out 
of scope at this time. If you feel that this is in error and that these 
products should be within the CVE scope, please feel free to provide 
justification (i.e., large install base, used in many IT shops, etc.). If 
you do provide justification, we will add the products to a list for a 
later review and possible inclusion within the CVE product lists.

If you have any further questions or concerns, don't hesitate to ask and I 
am happy to help.

Best regards,

Chris Coffin
The CVE Team
The MITRE Corporation

Page Last Updated or Reviewed: March 07, 2016