Re: Rough Drafts of CVE Counting Documents

[Pascal Meunier <pmeunier@cerias.purdue.edu>]

On 08/25/2016 12:10 PM, Kurt Seifried wrote:
> > > INC4: can we better define public/private? E.g. what if a medical 
> > device
> > > >> maker plans to use a CVE for an issue that they will then inform 
> > > ever user
> > > >> of directly? Ditto for aerospace/SCADA/etc.
> > > >>
> > >
> > > I'm not sure I understand what you would like to have happen.  Limited
> > > diffusion?  As a customer, I'd be confused to receive a notice 
> > referring to
> > > a CVE I couldn't lookup on a public web site, if that's what you 
> > meant.  If
> > > you meant embargoed issues, doesn't the CVE do that already?
> > >
> > >
> So Red Hat has 1000+ CVEs we've assigned and are not in the MITRE 
> database.
> So that bridge has already been crossed. Also I'm assuming the CVE's 
> will
> be available in the vendor database/website, e.g.:
>
> http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2002-2438
>
> We have a page with limited info (mostly because we're not affected =)
>
> https://access.redhat.com/security/cve/cve-2002-2438
>
> A CVE being in the MITRE or any public database is certainly nice to 
> have,
> especially for high profile issues, but I wouldn't make it a 
> requirement.

The example you give does have public information at 
http://www.kb.cert.org/vuls/id/464113, so even though it's deplorable 
that the NVD, CVE and RedHat web sites don't have any information or 
even a link to that, I'm not distressed.

However, I'm disappointed by the implication, if true, that many of 
these 1000+ CVEs could all be "RESERVED" with no public explanation 
anywhere and with no intent to make them public at any point in the 
future.  What was the point of using the CVE then?  If there was a need 
for secrecy, I believe there should be some form of disclosure after 
some time.  Think of it as declassification, which is of particular 
interest to historians and academics.

Pascal