[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Multipel CNAs for software and coordination for issues under embargo

one challenge is when an embargoed item is sent to multiple parties through multiple channels, potentially with more than one CNA per channel....

On Thu, Feb 15, 2018 at 8:16 PM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:
Another approach might be pre-agreements or other criteria between CNAs that, in this
type of situation, resolve the overlapping scopes ahead of time.  For example, CNAs
could agree to monitor non-overlapping lists, or stake a unique claim to the
responsibility for monitoring a certain source or type of source.


On Thu, 2018-02-15 at 16:36 -0700, Kurt Seifried wrote:
> So we now have a failure case, an embargoed set of issues were posted to
> the distros list, I was not explicitly asked to assign CVE's, but did, and
> it turns out CERT also assigned CVEs. CERT published first, so I reject'ed
> mine (https://github.com/CVEProject/cvelist/pull/314).
> This brings up the issue of what do we do when a reporter has an issue(s)
> and doesn't explicitly ask a CNA for CVEs, but more than one CNA see it,
> and want to assign a CVE to it because the issues would significantly
> benefit from CVEs? Most scopes do not overlap, with one glaring exception,
> "Open Source".
> So thoughts/comments? Should we only assign a CVE if asked, and then if not
> asked default to some sort of notification protocol? Should we simply go
> with the "first to publish" rule like for public issues? Other options?


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: February 19, 2018