[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: DWF Open Source CNA requirements:
- To: Kurt Seifried <kseifried@redhat.com>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: DWF Open Source CNA requirements:
- From: Art Manion <amanion@cert.org>
- Date: Mon, 7 Nov 2016 09:54:00 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;mitre.org; dkim=none (message not signed) header.d=none;
- Delivery-date: Mon Nov 7 15:33:26 2016
- In-reply-to: <CANO=Ty07fp9do=fC_-U_Jz-0s4raobPw3-RvN6aZABtJiq3WKQ@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty07fp9do=fC_-U_Jz-0s4raobPw3-RvN6aZABtJiq3WKQ@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.4.0
On 2016-11-06 16:03, Kurt Seifried wrote: > 4. What software specifically will you be assigning CVEs for (this can > be everything you ship, or a limited subset, either way the DWF will > require a list of names at a minimum, ideally with URLs to the > software) Is something general allowed, e.g., non-vendor CNAs that might have broad/not-known-in-advance coverage? > 5. You must provide a public method (e.g. no login required) for > published CVEs (e.g. product ChangeLog or a security page with a list > of > CVEs and minimum information as specified in the CNA Rules) As soon as it's worked out, publication must be in the standard minimum CVE format and published using the standard transport. > 10. Once a CVE is made public (e.g. you have fixed the issue) you must > tell the DWF within 24 hours (by pull request to the > DWF-Database-Artifacts at a minimum, and optionally the DWF-Database > as > well) using the minimum DWF-Database-Artifact specification currently > in > use > (https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/JSON-file-format-CURRENT.md) > Is performing #10 not the same as #5? - Art
- Follow-Ups:
- Re: DWF Open Source CNA requirements:
- From: Kurt Seifried <kseifried@redhat.com>
- Re: DWF Open Source CNA requirements:
- References:
- DWF Open Source CNA requirements:
- From: Kurt Seifried <kseifried@redhat.com>
- DWF Open Source CNA requirements:
- Prev by Date: DWF Open Source CNA requirements:
- Next by Date: Re: DWF Open Source CNA requirements:
- Previous by thread: DWF Open Source CNA requirements:
- Next by thread: Re: DWF Open Source CNA requirements:
- Index(es):
