Re: Discussion of Well-Formed CVE Requests

To: Kurt Seifried <kseifried@redhat.com>, Common Vulnerabilities & Exposures <cve@mitre.org>
Subject: Re: Discussion of Well-Formed CVE Requests
From: Art Manion <amanion@cert.org>
Date: Thu, 12 May 2016 23:49:18 -0400
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cert.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Fri May 13 07:51:30 2016
In-reply-to: <CANO=Ty3XUPVR+Smifo8HSVJLSGdeMPMDydPgA5YNgE5+OKLM2w@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <SN1PR09MB1038B3E48898878F5AF59331B1710@SN1PR09MB1038.namprd09.prod.outlook.com> <CANO=Ty3XUPVR+Smifo8HSVJLSGdeMPMDydPgA5YNgE5+OKLM2w@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:45.0) Gecko/20100101 Thunderbird/45.0

On 2016-05-12 20:18, Kurt Seifried wrote:

>     
> <http://cveproject.github.io/docs/requester/reservation-guidelines.html>____

> So for the DWF handling of Open Source vulnerabilities my plan is
> currently for the general case:
> 
> Minimum required for CVE:
> -Software name (and/or URL if it's a common name used more than once)
> -Vulnerable version (one or more)
> -Base flaw (CWE) or working reproducer that reliably triggers it or 
> some
> decent description of the flaw (do X/Y/Z and this weird thing happens
> that has a security impact)

I was thinking that decent description becomes the CVE name/title?  Also
a title name should be required, even if there's also a good CWE match.
Something like "Vendor product (component) has a CWE-123."  Encourage
good titles but accept anything reasonable.

Is the above enough for MITRE to import and create a CVE entry?  I think
currently a somewhat trusted/authoritative public reference is also
required?

> Strongly required for CVE (not mandatory, but there better be a good
> reason for not having these):
> -Affected component (e.g. function name, URL in web app, etc.)
> -Link or example of vulnerable code or a link or example of the code 
> fix
> -What the security impact is (AIC?) if you can't explain what
> exploitation accomplishes we have a problem
> 
> Requested for CVE (it'll speed things up):
> -Fixed version/commit
> -CVSSv2/3 scoring information

And all the above would be implemented in a DWF CSV row and collection
of artifacts?  Require minimal JSON file?

 - Art

Follow-Ups:
- Re: Discussion of Well-Formed CVE Requests
  - From: Kurt Seifried <kseifried@redhat.com>

References:
- Discussion of Well-Formed CVE Requests
  - From: Common Vulnerabilities & Exposures <cve@mitre.org>
- Re: Discussion of Well-Formed CVE Requests
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: Discussion of Well-Formed CVE Requests
Next by Date: Re: Discussion of Well-Formed CVE Requests
Previous by thread: Re: Discussion of Well-Formed CVE Requests
Next by thread: Re: Discussion of Well-Formed CVE Requests
Index(es):
- Date
- Thread