[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current and future CVE states

To: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: Current and future CVE states
From: Art Manion <amanion@cert.org>
Date: Tue, 9 May 2017 17:28:36 -0400
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Delivery-date: Tue May 9 21:22:42 2017
Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu v49LSb6U001143
In-reply-to: <CABqVa3_POGWZecLZE9+DeOu1GPNFxs05T8DgcEKhzoz6Ex9rcA@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CABqVa3_POGWZecLZE9+DeOu1GPNFxs05T8DgcEKhzoz6Ex9rcA@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.8.0

On 5/3/17 3:36 PM, Kurt Seifried wrote:

> PUBLIC - currently covered by the minimum JSON format

Published by the appropriate CNA(s), fully public, known to the
master/MITRE list.  Implies RESERVED and ASSIGNED.

> REJECT - currently not covered by JSON format, needs specific sub 
> states?

Was ASSIGNED (and RESERVED) but has now been REJECTed.

> Reason: This candidate was withdrawn by its CNA.

WITHDRAWN?

> Reason:  This candidate is a reservation duplicate of CVE-2017-7466.
> Notes: All CVE users should reference CVE-2017-7466 instead of this
> candidate.

> DWF had these states for REJECT’ed CVEs:

>     DUPLICATE_OF [CVE]
>     SPLIT_TO [list of CVEs]
>     MERGED_TO [lCVE]
>     REJECT (classic, e.g. not a vuln)

REJECT:NOTAVULN?

These all seem useful.

> RESERVED - currently not covered by JSON format, needs specific sub 
> states?
> 
>     RESERVED as part of CNA block, not used yet (do we want to 
> actually
>     list this uniquely?)
> 
>     RESERVED as an actual CVE assignment that will become public (most
>     useful for MITRE “Retail” assignments?)

ASSIGNED: Assigned by a CNA to a vulnerability, but not public yet,
likely under embargo.  ASSIGNED implies RESERVED.

RESERVED: Reserved by a CNA for future assignment, but not ASSIGNED, and
not in the UNASSIGNED pool.

UNASSIGNED: Default state?  In the pool of infinite available IDs but
not in any other state?  Needed at all?

 - Art

References:
- Current and future CVE states
  - From: Kurt Seifried <kurt@seifried.org>

Prev by Date: RE: CVE Will Reject a Group of Unused CVE IDs
Next by Date: RE: CVE Will Reject a Group of Unused CVE IDs
Previous by thread: Re: Current and future CVE states
Next by thread: Notice of Pilot Activity in CVE Auto WG
Index(es):
- Date
- Thread