[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs with no REF URL (or a REF URL that is self referential)

On Wed, Oct 4, 2017 at 3:19 PM, Art Manion <amanion@cert.org> wrote:
On 10/4/17 12:48 PM, Kurt Seifried wrote:

And, why submit embargoed issues to CVE before the embargo is over?  Wait until public, and then you also have a git commit URL.

I'm not talking about submitting embargoed info (that would break the embargo, so obviously I can't do that).

The embargo often is set for a time and the commits/vendor announcements/etc all take time. Rather then wait and check and update the CVE entry with the ref URL it would be much easier just to fire off the CVE that is self contained to the database so there is something nearly immediately in the database (we're finding this helps a lot with the higher profile messy issues). 

 - Art

Kurt Seifried

Page Last Updated or Reviewed: October 05, 2017