[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Multipel CNAs for software and coordination for issues under embargo
- To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: Multipel CNAs for software and coordination for issues under embargo
- From: Kurt Seifried <kseifried@redhat.com>
- Date: Thu, 15 Feb 2018 16:36:16 -0700
- Authentication-results: spf=none (sender IP is 192.52.194.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=fail action=none header.from=redhat.com;
- Delivery-date: Fri Feb 16 07:52:37 2018
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
So we now have a failure case, an embargoed set of issues were posted to the distros list, I was not explicitly asked to assign CVE's, but did, and it turns out CERT also assigned CVEs. CERT published first, so I reject'ed mine (https://github.com/CVEProject/cvelist/pull/314).
This brings up the issue of what do we do when a reporter has an issue(s) and doesn't explicitly ask a CNA for CVEs, but more than one CNA see it, and want to assign a CVE to it because the issues would significantly benefit from CVEs? Most scopes do not overlap, with one glaring exception, "Open Source".
So thoughts/comments? Should we only assign a CVE if asked, and then if not asked default to some sort of notification protocol? Should we simply go with the "first to publish" rule like for public issues? Other options?
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
- Follow-Ups:
- Re: Multipel CNAs for software and coordination for issues under embargo
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Multipel CNAs for software and coordination for issues under embargo
- From: Art Manion <amanion@cert.org>
- Re: Multipel CNAs for software and coordination for issues under embargo
- Prev by Date: RE: Action items coming out of the CNA Summit
- Next by Date: Re: Multipel CNAs for software and coordination for issues under embargo
- Previous by thread: RE: Action items coming out of the CNA Summit
- Next by thread: Re: Multipel CNAs for software and coordination for issues under embargo
- Index(es):
