[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Regarding CVE assignments on oss-sec mailing list



> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
> editorial-board-list@lists.mitre.org] On Behalf Of jericho
> Sent: Thursday, November 26, 2015 12:28 AM
> To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
> Subject: Re: Regarding CVE assignments on oss-sec mailing list
[...]
> If CVE fails to provide IDs on a few issues, after three months, I will
> personally lobby my company to publish advisories without an assignment,
> and make it very clear that it was done because CVE chose not to assign.
> It isn't fair that CVE holds up the coordinated disclosure process in
> cases where the requesting party and vendor are not CNAs themselves. Given
> that I suggested CVE expand the CNA body a while back, and that appears to
> have fell on deaf ears, there is no excuse for MITRE at this point.
[...]

A disclosure process should never be held up by a pending CVE assignment.
Just go ahead and disclose and put "pending CVE assignment" on the CVE line.

--
kw


Page Last Updated or Reviewed: December 01, 2015