Re: Multipel CNAs for software and coordination for issues under embargo

Lot of ideas on this, but perhaps today's interesting assignments around
Jenkins may help the discussion? How exactly did one Jenkins disclosure
get three CVEs from two CNAs? I assume there had to be coordination in
advance of this?

CVE-2018-1000067          Jenkins LTS   SECURITY-506
CVE-2018-1000068          Jenkins LTS   SECURITY-717
CVE-2018-6356             Jenkins LTS   SECURITY-705

The Jenkins advisory, as of this email, only includes 2018-6356 and two
instances of "CVE pending".

.b

On Thu, 15 Feb 2018, Pascal Meunier wrote:

: Another approach might be pre-agreements or other criteria between CNAs that, in this

: type of situation, resolve the overlapping scopes ahead of time.  For example, CNAs
: could agree to monitor non-overlapping lists, or stake a unique claim to the
: responsibility for monitoring a certain source or type of source.
:
: Pascal
:
: On Thu, 2018-02-15 at 16:36 -0700, Kurt Seifried wrote:
: > So we now have a failure case, an embargoed set of issues were posted to
: > the distros list, I was not explicitly asked to assign CVE's, but did, and
: > it turns out CERT also assigned CVEs. CERT published first, so I reject'ed
: > mine (https://github.com/CVEProject/cvelist/pull/314).
: >
: > This brings up the issue of what do we do when a reporter has an issue(s)
: > and doesn't explicitly ask a CNA for CVEs, but more than one CNA see it,
: > and want to assign a CVE to it because the issues would significantly
: > benefit from CVEs? Most scopes do not overlap, with one glaring exception,
: > "Open Source".
: >
: > So thoughts/comments? Should we only assign a CVE if asked, and then if not
: > asked default to some sort of notification protocol? Should we simply go
: > with the "first to publish" rule like for public issues? Other options?

: >
: >
: