[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: recent CVE criticism

On Tue, 31 May 2016, Kurt Seifried wrote:

: I suspect David Jorm may slightly have the wrong end of the stick or 
: basing this one some misinterpreted information (perhaps 
: CVE handling, which has been a bit messy historically? Or prject Zero 
: related stuff?). Google is not a CNA and not on the board however so 
: can't see how they'd have much influence over Mitre. It's on my todo 
: list to talk to him (full disclosure: he used to be my manager @Red 
: some time ago before he left).

Agreed. Google P0 primarily relies on CNAs to assign. Tracking their 
disclosures in a spreadsheet though, you can see where CNAs fail to 
policy on assigning based on the ID vs year (e.g. 2015 discovery are 
getting CVE-2016-xxxx based on public disclosure).

Part of me thinks it will be a wild conspiracy, Colbert-style or 
Yard-style (Larry Willmore show), with pictures, strings, and amusing 

: Like many groups we're nowhere near organized or competent enough to 
: have some sort of CVE related conspiracy going on (and if there is 
: and I wasn't invited in I'll be proper annoyed ;).

I see this more akin to government conspiracies at large. People 
amazing powers of secrecy and power to a government that is 
well-documented at failing in magnificant ways on such a simple level, 
while imagining that some level of it can hide UFOs for almost 100 
MITRE is struggling to do basic assignments for 'Tier 1' sources, so it 
hard to imagine some secret cabal related to CVE is actually out there. 

Page Last Updated or Reviewed: June 01, 2016