[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CNA Rules Announcement


Thanks for the note. 

> I'm not releasing details of vulnerabilities publicly giving the 
> vendor time to fix it.  Would having the above details in the web 
> form assist you all in this process? or you don't require details 
> until the disclosure goes public?

One thing that should probably be pointed out here. The “Notify CVE 
about a publication” form should really only be used when you the CVE 
ID(s) in question are public and ready to be populated in the CVE 
repository. It would seem that you could put tomorrow's date into that 
form and expect that the CVE repository entry would wait until 
tomorrow, but keep in mind that this process is not yet automated. 
Also, what happens if something changes on your side and you need to 
wait on publication. Currently there would be no easy way to change 
this date. For now, it would be best if you only use the form in 
question once the CVE ID has been published on your side. I am 
definitely open to comments and suggestions on this as well.

As for the fields themselves, we are definitely aware of the fact that 
the current “Notify CVE about a publication” form does not follow 
Appendix B exactly. This is mostly a side effect of us creating the CNA 
rules *after* we created the web forms. We will need to either update 
the Notify of publication form, or just create a new form specific to 
CAN notification of publication. 

In the meantime, I think it makes sense to just include the data in the 
Additional information field. The field should be large enough to hold 
a reasonably sized set of fields from Appendix B. The form already has 
specific fields for the CVE ID and advisory reference. I believe the 
reference field will allow multiple references separated by a new line, 
but if not then this could also be included in the additional 

As I had stated previously, this works ok if you have one or a couple 
CVE IDs to publish. If you have a number of IDs to publish all at once, 
the best option currently would be through email. 

If anyone else on the list has any additional suggestions or thoughts 
on the topic, please don't hesitate to share them. We will most 
definitely be thinking about methods for automation around this process 
as we move forward.

Thanks for the feedback!


-----Original Message-----
From: Larry W. Cashdollar [mailto:larry0@me.com] 
Sent: Friday, October 07, 2016 11:13 AM
To: Coffin, Chris <ccoffin@mitre.org>
Cc: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>; cve-cna-list 
Subject: Re: CNA Rules Announcement


Upon filling out the form for publishing a CVE I thought you might have 
the same fields as required in the rules document:


I'm not releasing details of vulnerabilities publicly giving the vendor 
time to fix it.  Would having the above details in the web form assist 
you all in this process? or you don't require details until the 
disclosure goes public?


(so far this has been a very smooth process, I'm happy)

> On Oct 7, 2016, at 11:14 AM, Coffin, Chris <ccoffin@mitre.org> wrote:
> Greetings,
> On Monday, October 10th, all CNAs should be assigning CVE IDs based 
> on the new CNA rules listed here:
> <http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx>
> As you use these new rules, please feel free to share any feedback 
> you might have with the rest of the CNA community and MITRE. We would 
> like to understand what is working and what isn’t so that the rules 
> evolve to meet the needs of the program and so that additional 
> guidance and training can be developed based on what we collectively 
> learn.  You can share your feedback through the cve-cna-list mailing 
> list or directly to MITRE through the CVE Web Form.
> <https://cveform.mitre.org/>
> It was noted by an early reviewer that the Rules document does not 
> provide explicit guidance on how to notify the primary or root CNA 
> regarding publications. Appendix B provides the format but does not 
> mention the method, and this will be corrected soon. There are 
> currently two acceptable methods of sending requests for publication. 
> The first would be to use the above web form and select the option 
> “Notify CVE about a publication.” This option works well if you are 
> publishing one or maybe a handful of CVE IDs, but may not work well 
> if publishing a large amount of CVE IDs. The second method would be 
> to create a file as outlined in Appendix B and to email that file to 
> us. We prefer that you use the cve@mitre.org address at the moment, 
> though this could change in the future.
> We intend to collect and broadly share feedback over the next 3-6 
> months so that these rules remain effective and current.  If this 
> time frame must be accelerated based on the conditions on the ground, 
> then it will be based on the feedback we receive.
> Thank you to those that offered feedback during the drafting of the 
> document. We look forward to working with the CNAs to help get these 
> rules implemented and to work out any kinks.
> Please let us know if you think it isn’t time to implement these new 
> rules.  We think it is based on the feedback to-date coupled with the 
> board call yesterday.
> Chris Coffin
> The CVE Team

Page Last Updated or Reviewed: October 10, 2016