[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding the Distributed Weakness Filing system



Can someone from Mitre at least confirm that they have seen this email? It's been over a week now with no reply from Mitre on anything: 

https://cve.mitre.org/data/board/archives/2016-03/msg00000.html
https://cve.mitre.org/data/board/archives/2016-03/msg00006.html
https://cve.mitre.org/data/board/archives/2016-03/msg00008.html


On Mon, Mar 7, 2016 at 7:49 PM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:
On 03/07/2016 08:53 PM, Kurt Seifried wrote:
"The vendor declined to fix the vulnerability".

That one is jaw-dropping.  By implication, if I refuse to fix it, you can't mention it, discuss it, or issue an advisory about it?  That's obstructing vulnerability disclosure, and a way to stimulate full disclosure by default for future issues.

Can MITRE please report how many times this reason is used?

Pascal



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: March 09, 2016