[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent CVE criticism

On Tue, 31 May 2016, Kurt Seifried wrote:

: I suspect David Jorm may slightly have the wrong end of the stick or 
be 
: basing this one some misinterpreted information (perhaps 
Google/WebKit 
: CVE handling, which has been a bit messy historically? Or prject Zero 
: related stuff?). Google is not a CNA and not on the board however so 
I 
: can't see how they'd have much influence over Mitre. It's on my todo 
: list to talk to him (full disclosure: he used to be my manager @Red 
Hat 
: some time ago before he left).

Agreed. Google P0 primarily relies on CNAs to assign. Tracking their 
disclosures in a spreadsheet though, you can see where CNAs fail to 
follow 
policy on assigning based on the ID vs year (e.g. 2015 discovery are 
getting CVE-2016-xxxx based on public disclosure).

Part of me thinks it will be a wild conspiracy, Colbert-style or 
Yard-style (Larry Willmore show), with pictures, strings, and amusing 
'relations'.

: Like many groups we're nowhere near organized or competent enough to 
: have some sort of CVE related conspiracy going on (and if there is 
one 
: and I wasn't invited in I'll be proper annoyed ;).

I see this more akin to government conspiracies at large. People 
ascribe 
amazing powers of secrecy and power to a government that is 
well-documented at failing in magnificant ways on such a simple level, 
while imagining that some level of it can hide UFOs for almost 100 
years. 
MITRE is struggling to do basic assignments for 'Tier 1' sources, so it 
is 
hard to imagine some secret cabal related to CVE is actually out there. 
=)
Page Last Updated or Reviewed: June 01, 2016