[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DoD and CVE

A lot of military tech now includes COTS/Open Source. It's not like these companies wrote their own realtime OS and USB drivers... 

On Wed, Oct 10, 2018 at 10:54 AM Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:
DoD is the most legitimate case I can think of for using their own numbering system
instead of CVEs.  They have confidentiality needs beyond what CVE can support, e.g.,
vs nation-state enemies.  What value would CVE IDs have to them, over any other
numbering system providing unique IDs? 

I can't reconcile the idea of separate private namespaces that anyone can use however
they like, with the definition of CVE IDs as unique.  They are not CVEs, they're just
numbers.  At best they could be a CNA for whatever they decide to make public, but
then why not use existing CNAs?


On Wed, 2018-10-10 at 09:58 -0600, Kurt Seifried wrote:
> I can't help but feel like the DoD might need some CVE related help:
> https://www.gao.gov/mobile/products/GAO-19-128
> Also this raises the point of "CVE's are for public vulnerabilities" but
> should we maybe look at what public means/how it is defined (I imagine the
> DoD/related community would benefit from CVE, but not always be in a
> position to make the CVEs they assign truly public). Maybe a separate
> namespace/number space for this kind of thing? (ala IPv4 space 10.*,
> 172.16.* and so on).

Kurt Seifried

Page Last Updated or Reviewed: October 12, 2018