Re: what text is being sent to researchers re: OSS assignments?

To: Kurt Seifried <kseifried@redhat.com>
Subject: Re: what text is being sent to researchers re: OSS assignments?
From: "Landfield, Kent B" <kent.b.landfield@intel.com>
Date: Mon, 19 Dec 2016 15:16:33 +0000
Accept-language: en-US
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=intel.com;mitre.org; dkim=none (message not signed) header.d=none;
Cc: jericho <jericho@attrition.org>, CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Mon Dec 19 16:23:33 2016
In-reply-to: <CANO=Ty0os29zNYEpAhc=ACr5oOMQ5hGyacPBNaqBFcB2L1DpKg@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <alpine.LNX.2.00.1612182041380.23402@forced.attrition.org> <65953FAA-EED4-4B7E-BAE2-3865558B7704@intel.com> <CANO=Ty0os29zNYEpAhc=ACr5oOMQ5hGyacPBNaqBFcB2L1DpKg@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
Thread-index: AQHSWgIjgBKUpliG/ka4ka3BIwi0wqEP5D0A//+fCAA=
Thread-topic: what text is being sent to researchers re: OSS assignments?
User-agent: Microsoft-MacOutlook/f.1b.0.161010

And as has been discussed by the Board, we are working towards getting a landing page that helps direct the requester to the right CNA. Currently the CNA-covered products link on the https://cveform.mitre.org points to the wrong place – in my mind. It should point to the https://cve.mitre.org/cve/data_sources_product_coverage.html#products instead. (Consider that a suggestion MITRE. ;-)) In the future the discussed intent is to make it even easier for the requester to locate the proper place to submit a CVE request thus reducing potential confusion. Until then Kurt is handling it properly.

---

Kent Landfield

+1.817.637.8026

From: Kurt Seifried <kseifried@redhat.com>
Date: Monday, December 19, 2016 at 9:03 AM
To: Kent Landfield <kent.b.landfield@intel.com>
Cc: jericho <jericho@attrition.org>, CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
Subject: Re: what text is being sent to researchers re: OSS assignments?

If I get an Apache request I would forward it to them, I have already done so with a pile of hackerone related requests.

On Mon, Dec 19, 2016 at 7:13 AM, Landfield, Kent B <kent.b.landfield@intel.com> wrote:

Can we please post this to the appropriate place? If you have an issue with this decision that the Board actively discussed, please as the question there. There is no reason to cross-post every message to both lists. This was a swim lane issue discussed by the Board and also discussed at the face-to-face meeting we had in Rockville, MD in November.

---
Kent Landfield
+1.817.637.8026

On 12/18/16, 8:44 PM, "owner-cve-cna-list@lists.mitre.org on behalf of jericho" <owner-cve-cna-list@lists.mitre.org on behalf of jericho@attrition.org> wrote:

Reference:

https://www.stevencampbell.info/2016/12/my-first-cve-2016-1000329-in-blogphp/

I submitted my CVE request through Mitre who notified me that open
source software CVE requests are now processed via the Distributed
Weakness Filing before being sent to Mitre for inclusion in their
database.

This creates an obvious disconnect and potentially duplicate assignments
and confusion, if researchers are being told to go to DWF for *all* OSS
assignments. For example, Apache is a CNA and has many OSS projects, but
vulnerabilities in their software should go to them, not DWF. Could MITRE
share the text that is being sent out currently?

.b

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- what text is being sent to researchers re: OSS assignments?
  - From: jericho <jericho@attrition.org>
- Re: what text is being sent to researchers re: OSS assignments?
  - From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Re: what text is being sent to researchers re: OSS assignments?
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: what text is being sent to researchers re: OSS assignments?
Next by Date: Re: what text is being sent to researchers re: OSS assignments?
Previous by thread: Re: what text is being sent to researchers re: OSS assignments?
Next by thread: CVE Board Meeting Minutes - 14 December 2016
Index(es):
- Date
- Thread