|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regarding CVE assignments on oss-sec mailing list
- To: <owner-cve-editorial-board-list@lists.mitre.org>
- Subject: Re: Regarding CVE assignments on oss-sec mailing list
- From: Scott Lawler <scott.lawler@lp3.com>
- Date: Fri, 27 Nov 2015 11:29:16 +0000
- Accept-Language: en-US
- Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=lp3.com;
- CC: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-Date: Fri Nov 27 08:58:27 2015
- In-Reply-To: <5657F488.5030903@cert.org>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <5656F1FD.2070107@cerias.purdue.edu> <CANO=Ty2qHPL4HhHERe3=P6kHMxxQeuqhxct2TZWG4r0PVG7Bfg@mail.gmail.com><5657E9B7.3080105@cert.org> <CANO=Ty1k5cOuo1XNBFgiBSt6394U0nVSfSACKm+82qxJjRyJFQ@mail.gmail.com>,<5657F488.5030903@cert.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- SpamDiagnosticMetadata: NSPM
- SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
- SpamDiagnosticOutput: 1:23
- SpamDiagnosticOutput: 1:2
- Thread-Index: AQHRKA9GoWHWG+//o02HnRLOCzSDyZ6t1v0AgABaJYCAAC5+gIAA+NOAgAABGYCAAAvLAIAAWD2v
- Thread-Topic: Regarding CVE assignments on oss-sec mailing list
What do we as the board need to do in order to fully define the issue? - Do we need to find a way to get more resources for MITRE? - Is there a depth of research required issue as well? - What process step are we stuck on the most often? - Do we have any process metrics available so we can make informed inputs? We could in parallel start thinking about potential solutions. I do agree with Art that we need to understand the issue well before we jump to solutions. I think MITRE really needs our help on this. We need to solve this to help that team continue to succeed. Scott > On Nov 27, 2015, at 1:14 AM, Art Manion <amanion@cert.org> wrote: > >> On 2015-11-27 00:31, Kurt Seifried wrote: >> >> On Thu, Nov 26, 2015 at 10:27 PM, Art Manion <amanion@cert.org >> <mailto:amanion@cert.org>> wrote: > >> The current assignment model/process is under stress and probably needs >> to change for CVE to remain broadly useful and relevant. >> >> Any thoughts on how to go about this? Starting with an evaluation of >> current state/issues? > >> So I know we have something like 1000+ assigned CVE's that are public >> and not in the database yet. So the backlog is real. > > So that's an item under current state/issues. > >> One thing I had suggested to Steve Christey ages ago was "lightweight >> CVEs", e.g. instead of a full write up, just at least give the url for >> the OSS-Security assignment, or the official vendor advisory/etc (for >> cases where I had privately assigned it for a project/etc.). At least >> this way people can track down some info on the CVE easily (you can >> Google, but you get a lot of "reserved CVE" hits you need to filter >> out). These lightweight entries could always be promoted to "full CVEs" >> later on if needed. > > I generally like the idea (a speed/quality tradeoff), but let me suggest > some process -- figure out where CVE is and what problems it faces > before trying to solve them: > > http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/ > > Regards, > > - Art
- Follow-Ups:
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
- References:
- Regarding CVE assignments on oss-sec mailing list
- From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: jericho <jericho@attrition.org>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Art Manion <amanion@cert.org>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Art Manion <amanion@cert.org>
- Regarding CVE assignments on oss-sec mailing list
- Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
- Next by Date: Re: Regarding CVE assignments on oss-sec mailing list
- Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
- Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
- Index(es):