|
|
On 2016-05-12 20:18, Kurt Seifried wrote:
> <http://cveproject.github.io/docs/requester/reservation-guidelines.html>____
> So for the DWF handling of Open Source vulnerabilities my plan is
> currently for the general case:
>
> Minimum required for CVE:
> -Software name (and/or URL if it's a common name used more than once)
> -Vulnerable version (one or more)
> -Base flaw (CWE) or working reproducer that reliably triggers it or some
> decent description of the flaw (do X/Y/Z and this weird thing happens
> that has a security impact)
I was thinking that decent description becomes the CVE name/title? Also
a title name should be required, even if there's also a good CWE match.
Something like "Vendor product (component) has a CWE-123." Encourage
good titles but accept anything reasonable.
Is the above enough for MITRE to import and create a CVE entry? I think
currently a somewhat trusted/authoritative public reference is also
required?
> Strongly required for CVE (not mandatory, but there better be a good
> reason for not having these):
> -Affected component (e.g. function name, URL in web app, etc.)
> -Link or example of vulnerable code or a link or example of the code fix
> -What the security impact is (AIC?) if you can't explain what
> exploitation accomplishes we have a problem
>
> Requested for CVE (it'll speed things up):
> -Fixed version/commit
> -CVSSv2/3 scoring information
And all the above would be implemented in a DWF CSV row and collection
of artifacts? Require minimal JSON file?
- Art