|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- To: Art Manion <amanion@cert.org>
- Subject: Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- From: Kurt Seifried <kseifried@redhat.com>
- Date: Wed, 30 Mar 2016 18:09:55 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=redhat.com;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Thu Mar 31 07:40:15 2016
- In-reply-to: <56FC3FFD.7070905@cert.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CY1PR09MB08731B8AFA8A70B3E69F46FEC7860@CY1PR09MB0873.namprd09.prod.outlook.com> <56FC3FFD.7070905@cert.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
On Wed, Mar 30, 2016 at 3:07 PM, Art Manion <amanion@cert.org> wrote:
On 2016-03-28 12:24, Common Vulnerabilities & Exposures wrote:
> Please find attached to this note a copy of the draft CVE Simplified
> Counting Paper. The paper was originally prepared as an internal piece
> to help the CVE analysts orient their thinking, and we thought that it
> would be useful to share it with the Board as background before the
> Board meeting Wednesday afternoon.
Comments added.
At a high level, even more tolerance for assignment criteria, increased
assignment (by MITRE and/or CNAs) is necessary to keep up with reality.
A direct affect is an increased need for split/merge/reject cleanup.
Perhaps, vaguely reminiscent of CAN/CVE days, CVE entries get a flag
that can be set by MITRE or a CNA to distinguish "claimed
vulnerabilities, report looks plausible, public reference" from "vendor
acknowledged, or otherwise substantiated claim, public reference."
- Art
One thing to keep in mind I think is that at a high level CVE stands for "Common Vulnerabilities and Exposures", so obviously it's used to track vulns, but on the other side CVE is also heavily used to track remediation, be it software updates, workarounds, compensating controls, whatever. A good example of this is the search results:
I'm not sure we need to cover it much beyond the "incomplete fix == another CVE", thoughts/comments?
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
- References:
- Simplified Draft Counting Paper for CVE Editorial Board Review
- From: Common Vulnerabilities & Exposures <cve@mitre.org>
- Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- From: Art Manion <amanion@cert.org>
- Simplified Draft Counting Paper for CVE Editorial Board Review
- Prev by Date: Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- Previous by thread: Re: Simplified Draft Counting Paper for CVE Editorial Board Review
- Next by thread: Editorial Board meeting details have been sent
- Index(es):