[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Regarding the Distributed Weakness Filing system



Kurt and Pascal,

 

Confirmed. The CVE Team received the emails and is reviewing the issues that you and others have raised. We apologize for the delay in responding and we are working to address those issues by 03/11/16. Going forward, the team will strive for same-day response to messages from the CVE Editorial Board List, but no longer than one business day.  

 

Thank you for your contributions and for your patience as we work to improve our processes.

 

The CVE Team

 

From: Kurt Seifried [mailto:kseifried@redhat.com]
Sent: Wednesday, March 09, 2016 9:46 AM
To: Pascal Meunier <pmeunier@cerias.purdue.edu>; Boyle, Stephen V. <sboyle@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Regarding the Distributed Weakness Filing system

 

Can someone from Mitre at least confirm that they have seen this email? It's been over a week now with no reply from Mitre on anything: 

 

 

 

On Mon, Mar 7, 2016 at 7:49 PM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:

On 03/07/2016 08:53 PM, Kurt Seifried wrote:

"The vendor declined to fix the vulnerability".


That one is jaw-dropping.  By implication, if I refuse to fix it, you can't mention it, discuss it, or issue an advisory about it?  That's obstructing vulnerability disclosure, and a way to stimulate full disclosure by default for future issues.

Can MITRE please report how many times this reason is used?

Pascal



 

--

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
secalert@redhat.com


Page Last Updated or Reviewed: March 09, 2016