[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multipel CNAs for software and coordination for issues under embargo

Another approach might be pre-agreements or other criteria between CNAs 
that, in this 
type of situation, resolve the overlapping scopes ahead of time.  For 
example, CNAs
could agree to monitor non-overlapping lists, or stake a unique claim 
to the
responsibility for monitoring a certain source or type of source.  


On Thu, 2018-02-15 at 16:36 -0700, Kurt Seifried wrote:
> So we now have a failure case, an embargoed set of issues were posted 
> to
> the distros list, I was not explicitly asked to assign CVE's, but 
> did, and
> it turns out CERT also assigned CVEs. CERT published first, so I 
> reject'ed
> mine (https://github.com/CVEProject/cvelist/pull/314).
> This brings up the issue of what do we do when a reporter has an 
> issue(s)
> and doesn't explicitly ask a CNA for CVEs, but more than one CNA see 
> it,
> and want to assign a CVE to it because the issues would significantly
> benefit from CVEs? Most scopes do not overlap, with one glaring 
> exception,
> "Open Source".
> So thoughts/comments? Should we only assign a CVE if asked, and then 
> if not
> asked default to some sort of notification protocol? Should we simply 
> go
> with the "first to publish" rule like for public issues? Other 
> options?

Page Last Updated or Reviewed: February 19, 2018