|
|
Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds? If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number
of rejected entries will outnumber the actual used CVE entries. While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been
made, there may be some confusion about how this is proceeding. If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes. Regards, Dave From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Adinolfi, Daniel R All, To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs
affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th. Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year): "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during [Year]. Notes: none." CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs
they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability. Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those
CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.) If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>. Thanks. -Dan, for the CVE Team _________________________ Daniel Adinolfi, CISSP Lead Cybersecurity Engineer, The MITRE Corporation CVE Communications and CNA Coordinator Email: <dadinolfi@mitre.org> Phone: 781-271-5774 |