[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CVE REJECT State
- To: "Coffin, Chris" <ccoffin@mitre.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: RE: CVE REJECT State
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Date: Wed, 14 Jun 2017 15:09:28 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Delivery-date: Wed Jun 14 11:17:35 2017
- In-reply-to: <MWHPR09MB14854B508EA6C04A285C15EDA1C30@MWHPR09MB1485.namprd09.prod.outlook.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB14854B508EA6C04A285C15EDA1C30@MWHPR09MB1485.namprd09.prod.outlook.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AdLlGkulehLykhFATT2z+8vQ1xFWhQABKHNg
- Thread-topic: CVE REJECT State
|
Just realized that I didn’t provide an example for why something might change.
---------------------- As a recap, a CVE ID listed as "REJECT" is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the description of the CVE ID. Possible examples
include it being a duplicate CVE ID, it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECT CVE IDs should be ignored. However, there may be cases where a CVE ID previously marked
as REJECT might need to move back to RESERVED or a populated state (i.e., the details and references are published and included).
The CVE Team and Board agree that the REJECT state should NOT be considered permanent, and that changes to this CVE ID state should be allowed in the future.
An example case could include a simple accidental REJECT, where a CVE ID was marked as REJECT by a CNA but was used publicly. In this case, it would create more confusion and additional work to REJECT the
already used CVE ID, assign a new CVE ID, and also make sure that all public references are updated. The change discussed here would be to simply change the REJECT CVE ID and populate it with the details that were intended. Both the Team and Board agree that some downstream consumers of CVE may be currently interpreting the REJECT state as permanent and that the CVE ID will never change in the future. It was also
agreed that we should provide proper notice to the community that this change in use of the REJECT state should be provided. This announcement serves as notice that beginning July 17, CVE IDs in the REJECT state can be changed to another state at any time as appropriate. If you have any comments or concerns about this change, please send them to our CVE Request web form at
https://cveform.mitre.org/ (select the Other request type). Regards, The CVE Team From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Coffin, Chris All, In the last meeting we discussed sending out a note to the community in regards to changing the use of the REJECT state. Here is a draft of what I had planned to send to the community via the news section of the web site, via the CVEAnnounce
Twitter account, and CVE/CWE/CAPEC LinkedIn profile. Please provide any comments or feedback by Friday the 16th. Chris ---------------------- The CVE Team and Board have recently revisited the use of CVE States (e.g., REJECT, RESERVED, DISPUTED), and are planning to make some necessary changes to them in the coming months. One of the changes recently discussed was in how the
REJECT state is applied, and specifically whether a REJECT CVE can change states again at a later date. As a recap, a CVE ID listed as "REJECT" is a CVE ID that is not accepted as a CVE ID. The reason a CVE ID is marked REJECT will most often be stated in the description of the CVE ID. Possible examples include it being a duplicate CVE ID,
it being withdrawn by the original requester, it being assigned incorrectly, or some other administrative reason. As a rule, REJECT CVE IDs should be ignored. However, there may be cases where a CVE previously marked as REJECT might need to move back to RESERVED
or a populated state (i.e., the details and references are published and included).
The CVE Team and Board agree that the REJECT state should NOT be considered permanent, and that changes to this CVE state should be allowed in the future. Both the Team and Board agree that some downstream consumers of CVE may be currently
interpreting the REJECT state as permanent and that the CVE will never change in the future. It was also agreed that we should provide proper notice to the community that this change in use of the REJECT state should be provided. This announcement serves as notice that beginning July 17, CVEs in the REJECT state can be changed to another state at any time as appropriate. If you have any comments or concerns about this change, please send them to our CVE Request web form at
https://cveform.mitre.org/ (select the Other request type). Regards, The CVE Team |
- References:
- CVE REJECT State
- From: "Coffin, Chris" <ccoffin@mitre.org>
- CVE REJECT State
- Prev by Date: CVE REJECT State
- Next by Date: Re: CVE Current States
- Previous by thread: CVE REJECT State
- Next by thread: Agenda for CVE Board Meeting June 28
- Index(es):
