RE: CVEs listed incorrectly at MITRE as reserved

[Mike Prosser <mprosser@symantec.com>]

We are CNA for our own product issues similar to many vendors I assume. We initially coordinate with submitters as to whether they intend to or have requested a CVE prior to their submission informing them that we will assign a CVE during the resolution/reporting process as required.  

We try to keep our initial CVE block request from Mitre as low as possible and request additional blocks should they be necessary during the year.  This helps to eliminate as many hangers as we can from the "reserved but not assigned" category.  We'd much rather pull from our own reserved CVE block for any issue we coordinate on our products rather than have CERT or Mitre "burn" one of theirs and leave empty reserved IDs we already have assigned.

I'm of the mind that a submitter/finder should probably check with the vendor or coordinator they are initially working with to determine if there will be a CVE assigned before they go  directly to MITRE and request one of their own.  Understand that not all vendors are CNAs, nor want to be, but an initial check would at least confirm the actual need for reserving a CVE through Mitre or through CERT as Art is indicating.


-mike

On 2014-05-14, 09:29, Christey, Steven M. wrote:

> Since the mere existence of a CVE ID can be useful for coordination 
> even without a populated description and references, it might be 
> useful for other Board members to weigh in on this topic.
...

> What might be less obvious is that the raw number of CVEs that are 
> reserved through CNAs has increased significantly in recent years as 
> well.  The number of reserved CVEs *tripled* from 2009 to 2013 (based 
> on the number of CVE-YYYY-nnnn IDs that were originally reserved).
> This is because of the increased adoption by CNAs, the rise of 
> oss-security, as well as the increase in private reservations to the 
> MITRE CNA because of our establishment of the CNA team and the 
> cve-assign@mitre address in back in 2011.
...

I just opened a discussion with Steve about different types of CVE ID request that CERT handles.  We generally assign IDs for vulnerability reports that we privately coordinate, however we've been getting requests from vendors and researchers for "just" a CVE ID, and not coordination.  Not a lot of requests (I can't measure easily, but ~3/40 for vendor requests in the first part of 2014), but it's to the level we've asked for guidance on when to issue an ID.  Overall, our assignment rates have been growing for years.  (At times, we have acted as a CNA for other CSIRTs who are now also CNAs).

year	alloted	assigned
====	=======	========
2002	12	2
2003	25	18
2004	10	8
2005	30	22
2006	30	28
2007	85	84
2008	45	45
2009	40	40
2010	45	36
2011	125	125
2012	245	233
2013	155	155
2014	90	64 (to date)

> Most of those advisories are for vendors that are "partial coverage"
> - not full coverage - according to
> http://cve.mitre.org/cve/data_sources_product_coverage.html

I'd generally expect some degree of delay/slack/queue time as multiple CNAs are assigning IDs and the MITRE/CVE mothership CNA is processing assignments, and prioritizing according to the coverage policy.  213 RBP IDs doesn't *feel* like too large of a queue/backlog, especially if they are lower priority reports.

I do think this illustrates the pressure between maintaining a certain scope of coverage while the vulnerability disclosure forces of the world are trending towards wanting more coverage.

Regards,

  - Art