[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities



So my hope was always that Mitre would realize that the best way to handle this is to become a coordinating body primarily and secondarily an assigning/researching/writing up body, rather than being primarily and assigning/researching/writing up CVE body (with no real coordination I can see, heck at this point I'm not even sure what the purpose of the board is). 


The only viable way to scale out CVE to cover things, or heck, to even continue covering what we have in past (e.g. major US based commercial vendors, most major Open Source, etc.) is to adopt an Open Source style model. We need to reduce the cost (both in monetary terms and effort/time) of getting CVE's, the best way to do this is to create more CNAs so CVE's can simply be assigned at the source of discovery, quickly and promptly. 

We need to admit that the official CVE database is now google.com (or whatever search engine you use), not cve.mitre.org

We need to admit what makes a CVE real is not Mitre's blessing, but the fact that a trustworthy source (Vendor security team, trusted researcher, etc.) says the CVE is valid. This is actually already true, the number of assigned CVE's in public use but not in the official Mitre database is considerable (Red Hat alone has over 1000 we have assigned but not seen in the Mitre database yet). 

We need to admit we need more CNAs and the CNA process needs to be simpler. Mitre hasn't even replied to Mark Cox, a board member and well known security industry luminary, I mean he runs Red Hat's Security Response, and sits on Apache's and OpenSSL security teams, and he wants Apache and OpenSSL respectively to be CNAs (currently he simply piggy backs on the CVE blocks assigned to Red Hat's, so he's been acting as a CNA for quite some time now, just unofficially. But Mitre won't make Apache/OpenSSL a CNA (or even reply with a reason as to why this hasn't been done). 

We have been promised change by Mitre, both publicly, and I have been privately emailed over a period of 6 months or so, but as far as I know/can see there has been no change. 

I am rapidly losing confidence in Mitre's ability to manage the CVE database, CNA process and so on. 

I have grave concerns about the viability of CVE if it is left primarily under Mitre's control. 


--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: December 28, 2015