[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list



On Sun, 29 Nov 2015 15:11:20 +0000
"Williams, Ken" <Ken.Williams@ca.com> wrote:

> > From: owner-cve-editorial-board-list@lists.mitre.org
> > [mailto:owner-cve- editorial-board-list@lists.mitre.org] On Behalf
> > Of jericho Sent: Thursday, November 26, 2015 12:28 AM
> > To: cve-editorial-board-list
> > <cve-editorial-board-list@lists.mitre.org> Subject: Re: Regarding
> > CVE assignments on oss-sec mailing list
> [...]
> > If CVE fails to provide IDs on a few issues, after three months, I
> > will personally lobby my company to publish advisories without an
> > assignment, and make it very clear that it was done because CVE
> > chose not to assign. It isn't fair that CVE holds up the
> > coordinated disclosure process in cases where the requesting party
> > and vendor are not CNAs themselves. Given that I suggested CVE
> > expand the CNA body a while back, and that appears to have fell on
> > deaf ears, there is no excuse for MITRE at this point.
> [...]
> 
> A disclosure process should never be held up by a pending CVE
> assignment. Just go ahead and disclose and put "pending CVE
> assignment" on the CVE line.
> 
> --
> kw
> 

Adding a CVE ID 3 months after the publication of an advisory should
only help historians.  In my mind that defeats a main purpose of the
CVE, which is to know if Alice, Bob and Charlie are talking about the
same issue or not.

Pascal


Page Last Updated or Reviewed: December 01, 2015