[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Agenda item - broken embargoes

I agree that once it's been exposed publicly there's no putting it back 
in.  The
responsibility is obviously not yours, but is there a "safety" 
somewhere in the
mechanism?  If not, perhaps the tool could be made less "sharp".  I 
know you put
"PUBLIC" in large letters twice but it's in the middle of blobs of 

I can think of a number of safeties (delays, emails, etc) but my 
favorite would be the
following. You already have these statements "I confirm that...".  
Perhaps it would be
easy to have one more like "I confirm that I want this information made 
PUBLIC NOW or that it is already PUBLIC."


On Wed, 2018-03-21 at 09:47 -0600, Kurt Seifried wrote:
> So I had someone submit a CVE request to the PUBLIC form 
> iwantacve.org, and
> then go "oops, can you delete that" to which I replied "no, genies 
> out of
> the bottle, sorry", is there any official MITRE or CVE policy on such 
> a
> thing? I know in the Open Source world (e.g. distros list) any public 
> leak
> is treated as the embargo being broken because, well, it is. I'm 
> inclined
> to keep that policy for the DWF, but was wondering if anyone else had 
> any
> thoughts/comments/concerns? I know it's more of an internal CNA 
> matter but
> it might be good to provide some guidance or at least information of 
> the
> pros/cons around this.

Page Last Updated or Reviewed: March 21, 2018