[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: A note from GitHub about your repository

Also to be clear if you look at the artifact it explicitly states that replying with "I accept" means it gets posted publicly (I even provide the URL):

Removed under GDPR <Removed under GDPR>

Thu, Apr 6, 2017, 2:03 PM
to me
I accept

-------- Original Message --------
Subject: DWF/CVE - Acceptance of MITRE Terms of Use for CVE for Removed under GDPR
Local Time: 6 April 2017 10:01 PM
UTC Time: 6 April 2017 20:01

This is a confirmation email sent from CVE request form at https://iwantacve.org/ asking you to accept the MITRE CVE Terms of Use (assuming you filled out the CVE form and want one, we can't use the data until you accept the MITRE CVE Terms of Use). 

Simply quote the email and reply with "I accept" at the top if you agree to the MITRE CVE Terms of Use and we will add it to the DWF MITRE CVE Terms of Use acceptance data at https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/tree/master/Terms-Of-Use

If you did not submit a CVE request to the DWF you can safely ignore this message, however we may resend it at some point in the future, if you don't want any future emails simply reply with "unsubscribe" or "DON'T SEND ME THIS EMAIL EVER AGAIN" and I'll add your email address to the block list so we don't spam you with these, please note that this will prevent you from being able to accept the MITRE CVE Terms of Use via the DWF automatically in future (you'll have to manually ask). But again, if you have no idea what a CVE is then you can ignore this/ask to be added to the block list with no problems. 

MITRE CVE Terms of Use


Submissions: For all materials you submit to the Common Vulnerabilities and Exposures (CVE®), you hereby grant to The MITRE Corporation (MITRE) and all CVE Numbering Authorities (CNAs) a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute such materials and derivative works. Unless required by applicable law or agreed to in writing, you provide such materials on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE.

CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy.

On Mon, Oct 1, 2018 at 9:48 AM Kurt Seifried <kurt@seifried.org> wrote:

On Mon, Oct 1, 2018 at 4:31 AM Morgan (GitHub Staff) <support@github.com> wrote:


My name is Morgan, and I work on GitHub’s User Policy team. We received word that one of your repositories contains sensitive or personal information that you may not have intended to make public, namely: private email addresses:

https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use/Removed under GDPR

Lines 6, 12, 15, 26, 27, 28, and the file name itself.

We wanted to give you a heads-up in case the information was published accidentally. If you need any help removing sensitive information that was committed by mistake, just let me know! We also have a handy guide here:


Please note that we may suspend repositories deemed to violate our Terms of Service, including those hosting sensitive or personal data. Please let us know if you have any questions and we'd be happy to help.

Nope it was published intentionally. In order to request a CVE Identifier, the person submitting the data has to be licensed so the CVE project and others can use it, thus you need to agree to the CVE Terms of Use (https://github.com/distributedweaknessfiling/DWF-Legal-Acceptance/blob/master/Terms-Of-Use.md). I must publish these publicly so I have proof that it was accepted properly. Additionally the email addresses submitted to the form at https://iwantacve.org/ are made public in a google spreadsheet, this is made OBVIOUSLY clear in the initial form. Additionally it is made clear that CVE is a PUBLIC database and information entered into it (like the description of the vulnerability, 

Furthermore CVE has a policy that when requesting a CVE you MUST use a working email address so that 

1) we can contact you to get acceptance of the Terms of Use
2) CVE users can contact the original requestor for clarification/details/etc

CC'ing the CVE board as I've brought this issue up (how do we handle GDPR related issues) as this provides a good example. Also CC'ing Robert/Marko as they had asked in a previous email how github can help the DWF (a major part would be ensuring trolls don't get people booted off of github).  Thanks!



Kurt Seifried

Kurt Seifried

Page Last Updated or Reviewed: November 02, 2018