Re: CVEs listed incorrectly at MITRE as reserved

To: "Christey, Steven M." <coley@mitre.org>, "Kent_Landfield@McAfee.com"<Kent_Landfield@McAfee.com>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: CVEs listed incorrectly at MITRE as reserved
From: Art Manion <amanion@cert.org>
Date: Thu, 15 May 2014 10:27:53 -0400
Delivery-Date: Thu May 15 10:28:08 2014
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cert.org;s=jthatj15xw2j; t=1400164076;bh=TSjEptyc/ZWsoqN+IUKITv1rjUcMKePdJgq7rKJG5SY=;h=Message-ID:Date:From:MIME-Version:To:Subject:References: In-Reply-To:Content-Type:Content-Transfer-Encoding:Sender:Reply-To: Cc;b=ZWCvk77A9V2DVqykUYg/7Csw8l6UoCvnVIOd3eeLXVR3b+1f0QazXMkGozR8ofCKL 98DANUGKSs6V+OBS3E/TZUdLnOhWizEDpJ208YCc/QqmpS0q4jhc6SKM2lSxKsamRr TulubWDlUlxkq5sV142MeBMTcWz54fhi1crNeMuk=
In-Reply-To: <FC72FC641B949240B947AC6F1F83FBAF4C45478F@IMCMBX04.MITRE.ORG>
References: <CF98549E.65674%kent_landfield@mcafee.com> <FC72FC641B949240B947AC6F1F83FBAF4C45478F@IMCMBX04.MITRE.ORG>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

On 2014-05-14, 09:29, Christey, Steven M. wrote:

> Since the mere existence of a CVE ID can be useful for coordination
> even without a populated description and references, it might be
> useful for other Board members to weigh in on this topic.
...

> What might be less obvious is that the raw number of CVEs that are
> reserved through CNAs has increased significantly in recent years as
> well.  The number of reserved CVEs *tripled* from 2009 to 2013 (based
> on the number of CVE-YYYY-nnnn IDs that were originally reserved).
> This is because of the increased adoption by CNAs, the rise of
> oss-security, as well as the increase in private reservations to the
> MITRE CNA because of our establishment of the CNA team and the
> cve-assign@mitre address in back in 2011.
...

I just opened a discussion with Steve about different types of CVE ID 
request that CERT handles.  We generally assign IDs for vulnerability 
reports that we privately coordinate, however we've been getting 
requests from vendors and researchers for "just" a CVE ID, and not 
coordination.  Not a lot of requests (I can't measure easily, but ~3/40 
for vendor requests in the first part of 2014), but it's to the level 
we've asked for guidance on when to issue an ID.  Overall, our 
assignment rates have been growing for years.  (At times, we have acted 
as a CNA for other CSIRTs who are now also CNAs).

year	alloted	assigned
====	=======	========
2002	12	2
2003	25	18
2004	10	8
2005	30	22
2006	30	28
2007	85	84
2008	45	45
2009	40	40
2010	45	36
2011	125	125
2012	245	233
2013	155	155
2014	90	64 (to date)

> Most of those advisories are for vendors that are "partial coverage"
> - not full coverage - according to
> http://cve.mitre.org/cve/data_sources_product_coverage.html

I'd generally expect some degree of delay/slack/queue time as multiple 
CNAs are assigning IDs and the MITRE/CVE mothership CNA is processing 
assignments, and prioritizing according to the coverage policy.  213 RBP 
IDs doesn't *feel* like too large of a queue/backlog, especially if they 
are lower priority reports.

I do think this illustrates the pressure between maintaining a certain 
scope of coverage while the vulnerability disclosure forces of the world 
are trending towards wanting more coverage.

Regards,

  - Art

Follow-Ups:
- RE: CVEs listed incorrectly at MITRE as reserved
  - From: Mike Prosser <mprosser@symantec.com>

References:
- CVEs listed incorrectly at MITRE as reserved
  - From: <Kent_Landfield@McAfee.com>
- RE: CVEs listed incorrectly at MITRE as reserved
  - From: "Christey, Steven M." <coley@mitre.org>

Prev by Date: RE: CVEs listed incorrectly at MITRE as reserved
Next by Date: RE: CVEs listed incorrectly at MITRE as reserved
Prev by thread: RE: CVEs listed incorrectly at MITRE as reserved
Next by thread: RE: CVEs listed incorrectly at MITRE as reserved
Index(es):
- Date
- Thread