|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: recent CVE criticism
- To: Kurt Seifried <kseifried@redhat.com>
- Subject: Re: recent CVE criticism
- From: jericho <jericho@attrition.org>
- Date: Wed, 1 Jun 2016 00:02:00 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=temperror action=none header.from=attrition.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Wed Jun 1 09:37:29 2016
- Importance: high
- In-reply-to: <CANO=Ty0S7Yvzv_LKQg4fOYMQ=bLMS_xhD2xqo2Xo24Ca1fbBQA@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1605312319040.17809@forced.attrition.org> <CANO=Ty0S7Yvzv_LKQg4fOYMQ=bLMS_xhD2xqo2Xo24Ca1fbBQA@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 43da9c421be74aed97248473db21fd15
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Tue, 31 May 2016, Kurt Seifried wrote: : I suspect David Jorm may slightly have the wrong end of the stick or be : basing this one some misinterpreted information (perhaps Google/WebKit : CVE handling, which has been a bit messy historically? Or prject Zero : related stuff?). Google is not a CNA and not on the board however so I : can't see how they'd have much influence over Mitre. It's on my todo : list to talk to him (full disclosure: he used to be my manager @Red Hat : some time ago before he left). Agreed. Google P0 primarily relies on CNAs to assign. Tracking their disclosures in a spreadsheet though, you can see where CNAs fail to follow policy on assigning based on the ID vs year (e.g. 2015 discovery are getting CVE-2016-xxxx based on public disclosure). Part of me thinks it will be a wild conspiracy, Colbert-style or Yard-style (Larry Willmore show), with pictures, strings, and amusing 'relations'. : Like many groups we're nowhere near organized or competent enough to : have some sort of CVE related conspiracy going on (and if there is one : and I wasn't invited in I'll be proper annoyed ;). I see this more akin to government conspiracies at large. People ascribe amazing powers of secrecy and power to a government that is well-documented at failing in magnificant ways on such a simple level, while imagining that some level of it can hide UFOs for almost 100 years. MITRE is struggling to do basic assignments for 'Tier 1' sources, so it is hard to imagine some secret cabal related to CVE is actually out there. =)
- Next by Date: CVE Editorial Board Teleconference Summary - May 19, 2016
- Next by thread: CVE Editorial Board Teleconference Summary - May 19, 2016
- Index(es):