[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNAs using CVE IDs for Internal Bug Tracking

On Fri, 24 Feb 2017, Kurt Seifried wrote:

: > One suggestion was made on the Board call that might help mitigate 
some of
: > the problems associated with allowing this flexibility to CNAs. The
: > suggestion was to create a new CVE ID status to cover CNA block
: > reservations. Instead of RESERVED, we might refer to them as 
: > or some other tag that differentiates them from other currently 
: > CVE IDs. This could help CVE end-users differentiate between CVE IDs
: > assigned as blocks to CNAs versus CVE IDs assigned to researchers 
: > public or non-public but already identified vulnerabilities.
: I would suggest we have several main states:
: RESERVED by a CNA that plans use it (e.g. may be part of a block) - 
: not sure we need to explicitly mention this (e.g. my block of 1 
: million...) ASSIGNED by a CNA but not yet public PUBLIC

That would be slick, having ASSIGNED to designate that interim state.

But given the historical dismal communication between CNAs back to 
that might many years in the making before it became useful/reliable.


Page Last Updated or Reviewed: February 27, 2017