|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Interim position on assigning CVEs for automated testing and otherlarge-scale vulnerability disclosures
- To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: Interim position on assigning CVEs for automated testing and otherlarge-scale vulnerability disclosures
- From: "Boyle, Stephen V." <sboyle@mitre.org>
- Date: Thu, 9 Apr 2015 01:41:39 +0000
- Accept-Language: en-US
- authentication-results: lists.mitre.org; dkim=none (message not signed)header.d=none;
- CC: "Boyle, Stephen V." <sboyle@mitre.org>, "Christey, Steven M."<coley@mitre.org>
- Delivered-To: coley@rcf-smtp.mitre.org
- Delivery-Date: Wed Apr 8 21:41:42 2015
- Thread-Index: AdByZj89KvAivbxRRTuGwX9acFe4OQ==
- Thread-Topic: Interim position on assigning CVEs for automated testing andother large-scale vulnerability disclosures
|
All, In the past, CVE has occasionally been requested to assign CVE-IDs for
submissions based on the results of automated testing or similar methods that can produce a large number of findings. We will refer to these as
“large-scale requests.” We have traditionally handled such requests on a case-by-case basis, but with the increasing use of automated testing
tools and similar methods, we believe that large-scale requests for
CVE-IDs will become more frequent. Steve Christey Coley is preparing a paper on this topic, but we wanted to provide the Board with an interim statement to help clarify our position and our planned response to large-scale CVE requests for the near term. Our interim position is that we will not treat large-scale cve-assign requests as substantially different from individual requests. By that, we mean that the submitting researcher or discloser should provide sufficient proof that a vulnerability exists for each individual finding of their testing based on the same criteria we use for any other cve-assign request. Also, the researcher/discloser should characterize each automated finding in their request based on the underlying vulnerability type and affected versions, which are important details for CVE abstraction that influence the number of CVE-IDs to be assigned. If proof of vulnerability and/or abstraction-relevant details are not available, then we may choose
to ask the requester to provide them, and/or de-prioritize any extensive work that would be necessary for us to perform the relevant analysis ourselves, thereby delaying our full response. We understand and recognize that our interim position does not address large-scale requests where sufficient information is provided to justify assignment of a large number of CVE IDs. If such a case or cases arise in the near future, then we will prioritize and handle them as they come. Steve Christey Coley’s upcoming paper will address this and related issues. Best Regards, Steve Boyle and Steve Christey Coley MITRE CVE |
- Prev by Date: Re: MS-Word versions of draft Editorial Board governance documents[Was: Two draft Editorial Board governance documents for review and comment]
- Next by Date: RE: MS-Word versions of draft Editorial Board governance documents[Was: Two draft Editorial Board governance documents for review and comment]
- Prev by thread: RE: MS-Word versions of draft Editorial Board governance documents [Was: Two draft Editorial Board governance documents for review and comment]
- Next by thread: Re: Two draft Editorial Board governance documents for review and comment
- Index(es):