[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: what text is being sent to researchers re: OSS assignments?

> Yes, this is basically my point. The wording of the blog I quoted 
> suggests that the text MITRE is sending may not jibe with "check 
> these links first". It sounds like he was told "anything OSS go to 
> DWF". Thus my question for clarification.

A CVE team analyst directs the request to the appropriate CNA as 
needed. We do have some template text that we send out for requests 
that should be handled by the DWF CNA, but it's just basic info how to 
submit a request to them. In addition, we have begun providing the 
requester the text of their CVE web form request so that they don't 
need to retype everything on the DWF side. 

Note that the CNA list has grown and the proper routing for a request 
will only get more complicated. As Kent suggested earlier, we have 
spoken about moving towards a landing page where we could implement 
some form of automation that handles this routing in a timely and 
consistent manner (e.g., if Product == Microsoft, send request to 
secure@microsoft.com, if open_source == True AND Product != 'Apache', 
send request to DWF, etc.). 

If you have any suggestions please pass them along. 

Chris

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Monday, December 19, 2016 12:24 PM
To: Landfield, Kent B <kent.b.landfield@intel.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: what text is being sent to researchers re: OSS assignments?
Importance: High

On Mon, 19 Dec 2016, Landfield, Kent B wrote:

: Couple points of reference....
: 
: https://cve.mitre.org/cve/data_sources_product_coverage.html#products
: https://cve.mitre.org/cve/cna.html

Yes, this is basically my point. The wording of the blog I quoted 
suggests that the text MITRE is sending may not jibe with "check these 
links first". It sounds like he was told "anything OSS go to DWF". Thus 
my question for clarification.

: On 12/19/16, 8:13 AM, "owner-cve-editorial-board-list@lists.mitre.org 
on behalf of Landfield, Kent B" 
<owner-cve-editorial-board-list@lists.mitre.org on behalf of 
kent.b.landfield@intel.com> wrote:
: 
:     Can we please post this to the appropriate place? If you have an 
: issue with this decision that the Board actively discussed, please as
: the question there.  There is no reason to cross-post every message to
: both lists.  This was a swim lane issue discussed by the Board and 
also
: discussed at the face-to-face meeting we had in Rockville, MD in
: November.

Not questioning the decision, questioning how this was implemented in 
the context of CVE consumers requesting an ID. To me this is a Board 
issue and impacts the CNA, so I posted to both lists.
Page Last Updated or Reviewed: December 19, 2016