[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Required information for CVE entry submissions

On 9/13/17 11:15 AM, Adinolfi, Daniel R wrote:


PRODUCT, including vendor/project

VERSION, describing what versions are and are not affected

PROBLEMTYPE, a free-form bit of data, though some use CWEs here

REFERENCES, URLs pointing to public information about the
vulnerability that includes all the information that may be in the
CVE entry

DESCRIPTION, a human-readable description of the vulnerability
To summarize the proposed changes, the following information would be
required under the proposals:





PUBLICATION DATE (of the vulnerability information becoming public;
or a timeline of specific events related to the vulnerability being
made public)

ASSIGNING CNA (or chain of assigning CNAs if there is a Sub-CNA under
a Root doing the assignment)

IMPACT> There is also a proposal to remove REFERENCES from required information if all the required information can be included in the description. There is a related discussion as to whether the CVE List can include vulnerability information not found anywhere else, acting as a first publication point. <https://github.com/CVEProject/docs/issues/26>

DESCRIPTION would also become optional, the argument being that all the 
same information would be available in the required fields.

We do not currently have a proposed categorization or taxonomy of 

Require DESCRIPTION.  I don't think the other fields are (yet) careful enough 
about capturing "all" the necessary information.

Require REFERENCES.  CVE's mission is primarily identification, not 
publication or disclosure.  Yes, a well-detailed CVE entry could 
possibly contain enough information to act as a primary publication, 
but that's across the scope line for me.  If CVE can be the 
primary/first/only documentation of a vulnerability, we need more 
fields and more effort.


Make IMPACT optional, it is very dependent on context and can be 
optionally covered in DESCRIPTION.

Also on the call today, there was an important discussion about 
providing better guidance/semantics for what goes in fields.


 - Art

Page Last Updated or Reviewed: September 21, 2017