[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: new CNA guidelines
- To: Kurt Seifried <kurt@seifried.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: new CNA guidelines
- From: Art Manion <amanion@cert.org>
- Date: Sun, 8 Oct 2017 22:34:38 -0400
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
- Delivery-date: Mon Oct 9 07:47:09 2017
- Dkim-filter: OpenDKIM Filter v2.11.0 veto.sei.cmu.edu v992Yewb024676
- In-reply-to: <CABqVa387=Bi944LR6P6k=k7-e7MO5x4SS1ZmqfxOZngbsidP1g@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CABqVa387=Bi944LR6P6k=k7-e7MO5x4SS1ZmqfxOZngbsidP1g@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.3.0
On 2017-10-07 21:50, Kurt Seifried wrote: > https://securitytxt.org/ > > TL;DR: security.txt for reporting security issues, like robots.txt > for telling web robots how to behave. ... Generally a big fan, there's similar work going on in FIRST, and I plan to actually talk to the author/developer. A few thoughts: > # Our disclosure policy > > Disclosure: Full Not sure that disclosure policies are modular/structured well-enough yet to work like this. Also the three options are too gross. A suggestion is to provide a pointer to the policy (having and publishing a policy is a great start). There are some norms/standards developing around coordinated vulnerability disclosure. We primarily ask vendors to do crazy things like: 1. Develop and publish a policy 2. Have a way to receive reports 3. Analyze and fix/publish CNAs should be held to the same standard. Note: #1 says to have and publish a policy, not what the policy says. CVE the boundary of disclosure, CVE shouldn't bother itself too much with disclosure politics. > This would make it much easier for people to discover how to report > things (99% of the time you can plug a product name in and get the > web page no problem, then the problem becomes finding the contact > details for reporting your security vulnerability). > > This is a very nice KISS solution, it requires minimal to no > maintenance (most places do not change the web page for their PGP key > to often, or the reporting email address, with the exception for > corporate mergers/divestitures). It should work great for web site reporting (I think the location on a site is /security.txt, or /.well-known/security.txt). A little less clear for product vulnerabilities (I might know I need to talk to Red Hat, but what web site holds the correct security.txt for Digital Alert Systems? The FIRST work focuses on the content and format but stops short of recommending a single/specific location for the contact information. - Art
- Follow-Ups:
- Re: new CNA guidelines
- From: Kurt Seifried <kurt@seifried.org>
- Re: new CNA guidelines
- References:
- new CNA guidelines
- From: Kurt Seifried <kurt@seifried.org>
- new CNA guidelines
- Prev by Date: new CNA guidelines
- Next by Date: Re: new CNA guidelines
- Previous by thread: new CNA guidelines
- Next by thread: Re: new CNA guidelines
- Index(es):
