[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Agenda for CVE Board Meeting Wednesday, 15 November 2017

I feel like a disclaimer or an FAQ entry is the best route to take at 
present.

There is still a lot of work that will have to be done in getting the 
broader community to understand the ways in which vulnerability info is 
different from threat intelligence or other feeds of data.


-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Wednesday, November 15, 2017 13:10
To: Kurt Seifried <kseifried@redhat.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
Importance: High

On Wed, 15 Nov 2017, Kurt Seifried wrote:

: Do we much care about the year assigned/vs the year it was asked for 
and
: acknowledged as a security issue? Looks like HackerOne may have done a
: mass 2017 assignment to a lot of old issues. e.g. 
: https://hackerone.com/reports/713

That has been the 'standard' or guideline for most of CVEs history. If 
that changes, I feel it critical that it be communicated to the 
community and a disclaimer added somewhere on the CVE page(s). We're 
rapidly approaching where companies will start using CVE data to make 
general statements about how many vulnerabilities were disclosed in 
2017, and many do it largley based off the IDs.

Also note that many DWF assignments this year also broke from that, 
giving
2017 assignments to issues as far back as 2012. This is not limited to 
HackerOne by any means.

Brian
Page Last Updated or Reviewed: November 16, 2017