[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multipel CNAs for software and coordination for issues under embargo



Lot of ideas on this, but perhaps today's interesting assignments 
around 
Jenkins may help the discussion? How exactly did one Jenkins disclosure 
get three CVEs from two CNAs? I assume there had to be coordination in 
advance of this?

CVE-2018-1000067          Jenkins LTS   SECURITY-506
CVE-2018-1000068          Jenkins LTS   SECURITY-717
CVE-2018-6356             Jenkins LTS   SECURITY-705

The Jenkins advisory, as of this email, only includes 2018-6356 and two 
instances of "CVE pending".

.b

On Thu, 15 Feb 2018, Pascal Meunier wrote:

: Another approach might be pre-agreements or other criteria between 
CNAs that, in this 
: type of situation, resolve the overlapping scopes ahead of time.  For 
example, CNAs
: could agree to monitor non-overlapping lists, or stake a unique claim 
to the
: responsibility for monitoring a certain source or type of source.  
: 
: Pascal
: 
: On Thu, 2018-02-15 at 16:36 -0700, Kurt Seifried wrote:
: > So we now have a failure case, an embargoed set of issues were 
posted to
: > the distros list, I was not explicitly asked to assign CVE's, but 
did, and
: > it turns out CERT also assigned CVEs. CERT published first, so I 
reject'ed
: > mine (https://github.com/CVEProject/cvelist/pull/314).
: > 
: > This brings up the issue of what do we do when a reporter has an 
issue(s)
: > and doesn't explicitly ask a CNA for CVEs, but more than one CNA 
see it,
: > and want to assign a CVE to it because the issues would 
significantly
: > benefit from CVEs? Most scopes do not overlap, with one glaring 
exception,
: > "Open Source".
: > 
: > So thoughts/comments? Should we only assign a CVE if asked, and 
then if not
: > asked default to some sort of notification protocol? Should we 
simply go
: > with the "first to publish" rule like for public issues? Other 
options?
: > 
: > 
: 


Page Last Updated or Reviewed: February 16, 2018