[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Agenda item - broken embargoes

To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Agenda item - broken embargoes
From: Kurt Seifried <kurt@seifried.org>
Date: Wed, 21 Mar 2018 09:47:18 -0600
Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=none action=none header.from=seifried.org;
Delivery-date: Wed Mar 21 12:34:27 2018
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2

So I had someone submit a CVE request to the PUBLIC form iwantacve.org, and then go "oops, can you delete that" to which I replied "no, genies out of the bottle, sorry", is there any official MITRE or CVE policy on such a thing? I know in the Open Source world (e.g. distros list) any public leak is treated as the embargo being broken because, well, it is. I'm inclined to keep that policy for the DWF, but was wondering if anyone else had any thoughts/comments/concerns? I know it's more of an internal CNA matter but it might be good to provide some guidance or at least information of the pros/cons around this.

Kurt Seifried
kurt@seifried.org

Follow-Ups:
- Re: Agenda item - broken embargoes
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>

Prev by Date: CVE Board Meeting March 21, 2018 - Agenda
Next by Date: Re: Agenda item - broken embargoes
Previous by thread: CVE Board Meeting March 21, 2018 - Agenda
Next by thread: Re: Agenda item - broken embargoes
Index(es):
- Date
- Thread