[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVEs with no REF URL (or a REF URL that is self referential)

On 2017-10-05 07:01 AM, Art Manion wrote:
> On 2017-10-04 17:54, Kurt Seifried wrote:
>> The embargo often is set for a time and the commits/vendor
>> announcements/etc all take time. Rather then wait and check and
>> update the CVE entry with the ref URL it would be much easier just to
>> fire off the CVE that is self contained to the database so there is
>> something nearly immediately in the database (we're finding this
>> helps a lot with the higher profile messy issues).
> Ah OK.  I've been operating under the impression that the delay 
> you're talking about was too small to matter, probably hours, less 
> than half a day.  I consider same-day CVE ID to be fast enough, maybe 
> < 6 hours for hot issues.
>  - Art

TBH it's less about the delay and more about automation. If I can
cronjob shoving the CVE into the database, and then later update it (or
anyone else can) handling embargoed CVE's becomes cheaper (essentially I
would assign, set the date, and like the Ronco Rotisserie "Set it and
forget it!" [assuming the embargo date doesn't change]). Especially for
the common case where people want the CVE prior to the git commit, if
that can be mostly automated that'd be awesome.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: October 09, 2017