Re: Regarding CVE assignments on oss-sec mailing list

To: Pascal Meunier <pmeunier@cerias.purdue.edu>
Subject: Re: Regarding CVE assignments on oss-sec mailing list
From: Kurt Seifried <kseifried@redhat.com>
Date: Thu, 26 Nov 2015 07:36:45 -0700
Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
CC: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-Date: Fri Nov 27 08:58:27 2015
In-Reply-To: <5656F1FD.2070107@cerias.purdue.edu>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <5656F1FD.2070107@cerias.purdue.edu>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2

On Thu, Nov 26, 2015 at 4:50 AM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:

Thank you Kurt, for responding to a need and making the CVE more relevant and usable. CVE usability isn't just how IDs are referred to after assignments, but how quick and painless the assignment process can be. Thanks to Kurt and Brian for making the scope of the problem obvious and easily understandable, with examples. The board has had discussions in the past (many years ago) about quality vs number of identified CVE issues; these tended to emphasize the need for quality. However, CVE risks losing acceptance if it doesn't provide sufficient identifiers with a manageable latency.

Pascal

Just as an aside, secalert@redhat.com has also seen a number of requests in the form "we asked Mitre and now we're asking you" which I was unable to fulfill because the risk of a duplicate is to high (whereas in a public form like OSS-SEC the chance of a duplicate is reduced because everyone can see the traffic/replies). I wasn't sure if people were simply getting impatient, but it seems like this is more normal than I'd hoped.

I know internally at Red Hat we have some SLA's for our security team, although we don't specifically have one for CVE assignments but the general rule is "1 business day, 2 max" which we usually meet unless it's a messy assignment and requires some back and forth. Perhaps an SLA for assignments (with some caveats for "difficulty" of assignment)?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Art Manion <amanion@cert.org>

References:
- Regarding CVE assignments on oss-sec mailing list
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: jericho <jericho@attrition.org>
- Re: Regarding CVE assignments on oss-sec mailing list
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>

Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
Next by Date: Re: Regarding CVE assignments on oss-sec mailing list
Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
Next by thread: Re: Regarding CVE assignments on oss-sec mailing list
Index(es):
- Date
- Thread