[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE request form is missing an important bit

From the early days, the rationale behind CVE was that it was never meant to be a database, just an index. Thus, for example, the list of references for a CVE, or the description was never meant to be the canon or the most comprehensive description of the vulnerability. It was not meant to be the repository for all info related to the vulnerable. However, the state of the vulnerability info space meant that CVE was the best centralized source of info, so people started using it as a database for all sorts of purposes including statistical. There are better DBs out now, such as NVD that add additional info.Thus, I think the year was really meant just as a convenience, so you didn't just start at 1 and go to infinity. You could reset the counter to zero each January. 

My point is that the year of the CVE shouldn't be a major data item, and it shouldn't matter much if the year is 2016 or 2017 for a December vuln. 

But that said, I don't really care if steps are taken to let the requester request the year either. As I said, I don't think it is very important.

That's my opinion.


On Jan 5, 2017, at 9:21 AM, Landfield, Kent B <kent.b.landfield@intel.com> wrote:

Hi Chris,

What would your response have been if Brian had said the vulnerability was ‘public’ in December 2016?  I get your justification/education in this specific case but he has a valid point that the form needs to be enhanced.  There is nothing that says you cannot add the explanation as to how to appropriately use the ‘year’, but it is clear the form needs to be able to support this type of issue.  The idea was we would send in suggestion to enhance the submission form via real world experiences and this seems to fit that case. ;-)  Granted, we should normally only see this type of issue shortly after the 1st of any year but ...


Kent Landfield

On 1/5/17, 9:01 AM, "owner-cve-editorial-board-list@lists.mitre.org on behalf of Coffin, Chris" <owner-cve-editorial-board-list@lists.mitre.org on behalf of ccoffin@mitre.org> wrote:

   The year portion of the ID is not meant to indicate when the vulnerability was discovered. In general, the year portion translates to either the request year, or the public disclosure year.

   We had explained the thought behind our process in an oss-security post (quoted below) a couple of years ago [1]. The following is the main take away from that post.

   "The year portion of a CVE ID typically reflects when the CVE was requested for non-public issues; or for already-public issues, the year portion typically reflects the year of disclosure. The disclosure date itself can be a subject of interpretation, such as when an issue is disclosed at a publicly-accessible URL but only likely to be noticed by a limited audience ("technically public") versus when the issue becomes "widely public" to the infosec industry."

   We could ask for this data in an optional field, but it might not be used if the requester is unclear on how the year is currently used in CVE. Would this be a problem on your side, i.e., you ask for a specific year but it's assigned something different? Also, What would the specific benefits be to allowing the requester to specify the year?

   If anyone else has any thoughts or opinions that would differ from this, please let us know.

   [1] http://seclists.org/oss-sec/2015/q1/46

   Chris Coffin
   The CVE Team

   -----Original Message-----
   From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho
   Sent: Wednesday, January 04, 2017 5:39 PM
   To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
   Subject: CVE request form is missing an important bit
   Importance: High


   The current form for requesting a CVE ID [1] only has one box that could be used for this, "Additional information", but does not prompt the question at all. The significant thing missing is that when requesting an ID, you should be asked what year the ID is for.

   e.g. I requested an ID for my day job yesterday and it even slipped my mind that it technically should have been a 2016 ID since the issue was discovered in December. As the form does not include anything to ask such a question, it didn't occur to me either.

   I believe the form needs to add a box or drop-down and request this information, likely with a one-liner about how the year-based assignments work (i.e. year it was discovered and/or disclosed to vendor, not publicly), to better track vulnerabilities by year.


   [1] https://cveform.mitre.org/

Andy Balinsky

Attachment: smime.p7s
Description: S/MIME cryptographic signature

Page Last Updated or Reviewed: January 05, 2017