RE: Regarding the Distributed Weakness Filing system

To: Kurt Seifried <kseifried@redhat.com>, Pascal Meunier <pmeunier@cerias.purdue.edu>
Subject: RE: Regarding the Distributed Weakness Filing system
From: "Boyle, Stephen V." <sboyle@mitre.org>
Date: Wed, 9 Mar 2016 20:03:47 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Wed Mar 9 15:58:46 2016
In-reply-to: <CANO=Ty2YLhvf9Br8cuoeCuQyFQf1TdmX=TETUoW0xHD5QtWfRw@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty3tjTEMh7-xZSfzXaWBYmEu4N_bnZLXVmBxgD6x6942nw@mail.gmail.com> <56DE3DA4.2010402@cerias.purdue.edu> <CANO=Ty2YLhvf9Br8cuoeCuQyFQf1TdmX=TETUoW0xHD5QtWfRw@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: NSPM
Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
Spamdiagnosticoutput: 1:23
Spamdiagnosticoutput: 1:2
Thread-index: AQHReN2ANfpLXd62ikiGkfvE1eGZRJ9O2mAAgAJYooCAAFfXgA==
Thread-topic: Regarding the Distributed Weakness Filing system

Kurt and Pascal,

Confirmed. The CVE Team received the emails and is reviewing the issues that you and others have raised. We apologize for the delay in responding and we are working to address those issues by 03/11/16. Going forward, the team will strive for same-day response to messages from the CVE Editorial Board List, but no longer than one business day.

Thank you for your contributions and for your patience as we work to improve our processes.

The CVE Team

From: Kurt Seifried [mailto:kseifried@redhat.com]
Sent: Wednesday, March 09, 2016 9:46 AM
To: Pascal Meunier <pmeunier@cerias.purdue.edu>; Boyle, Stephen V. <sboyle@mitre.org>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Regarding the Distributed Weakness Filing system

Can someone from Mitre at least confirm that they have seen this email? It's been over a week now with no reply from Mitre on anything:

https://cve.mitre.org/data/board/archives/2016-03/msg00000.html

https://cve.mitre.org/data/board/archives/2016-03/msg00006.html

https://cve.mitre.org/data/board/archives/2016-03/msg00008.html

On Mon, Mar 7, 2016 at 7:49 PM, Pascal Meunier <pmeunier@cerias.purdue.edu> wrote:

On 03/07/2016 08:53 PM, Kurt Seifried wrote:

"The vendor declined to fix the vulnerability".

That one is jaw-dropping. By implication, if I refuse to fix it, you can't mention it, discuss it, or issue an advisory about it? That's obstructing vulnerability disclosure, and a way to stimulate full disclosure by default for future issues.

Can MITRE please report how many times this reason is used?

Pascal

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- Regarding the Distributed Weakness Filing system
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding the Distributed Weakness Filing system
  - From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Re: Regarding the Distributed Weakness Filing system
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: [oss-security] Concerns about CVE coverage shrinking - direct impact to researchers/companies
Next by Date: RE: [oss-security] Concerns about CVE coverage shrinking - direct impact to researchers/companies
Previous by thread: Re: Regarding the Distributed Weakness Filing system
Next by thread: Re: [oss-security] Concerns about CVE coverage shrinking - direct impact to researchers/companies
Index(es):
- Date
- Thread