Re: Regarding CVE assignments on oss-sec mailing list

To: Kurt Seifried <kseifried@redhat.com>
Subject: Re: Regarding CVE assignments on oss-sec mailing list
From: Art Manion <amanion@cert.org>
Date: Fri, 27 Nov 2015 01:13:28 -0500
Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=cert.org;
CC: Pascal Meunier <pmeunier@cerias.purdue.edu>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
Delivery-Date: Fri Nov 27 08:58:27 2015
In-Reply-To: <CANO=Ty1k5cOuo1XNBFgiBSt6394U0nVSfSACKm+82qxJjRyJFQ@mail.gmail.com>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <5656F1FD.2070107@cerias.purdue.edu> <CANO=Ty2qHPL4HhHERe3=P6kHMxxQeuqhxct2TZWG4r0PVG7Bfg@mail.gmail.com><5657E9B7.3080105@cert.org> <CANO=Ty1k5cOuo1XNBFgiBSt6394U0nVSfSACKm+82qxJjRyJFQ@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.3.0

On 2015-11-27 00:31, Kurt Seifried wrote:
> 
> On Thu, Nov 26, 2015 at 10:27 PM, Art Manion <amanion@cert.org
> <mailto:amanion@cert.org>> wrote:

>     The current assignment model/process is under stress and probably needs
>     to change for CVE to remain broadly useful and relevant.
> 
>     Any thoughts on how to go about this?  Starting with an evaluation of
>     current state/issues?

> So I know we have something like 1000+ assigned CVE's that are public
> and not in the database yet. So the backlog is real.

So that's an item under current state/issues.

> One thing I had suggested to Steve Christey ages ago was "lightweight
> CVEs", e.g. instead of a full write up, just at least give the url for
> the OSS-Security assignment, or the official vendor advisory/etc (for
> cases where I had privately assigned it for a project/etc.). At least
> this way people can track down some info on the CVE easily (you can
> Google, but you get a lot of "reserved CVE" hits you need to filter
> out). These lightweight entries could always be promoted to "full CVEs"
> later on if needed.

I generally like the idea (a speed/quality tradeoff), but let me suggest
some process -- figure out where CVE is and what problems it faces
before trying to solve them:

  http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/

Regards,

 - Art

Follow-Ups:
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Scott Lawler <scott.lawler@lp3.com>

References:
- Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Art Manion <amanion@cert.org>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
Next by Date: Re: Regarding CVE assignments on oss-sec mailing list
Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread