Re: CVE request form is missing an important bit

["Landfield, Kent B" <kent.b.landfield@intel.com>]

Hi Chris,

What would your response have been if Brian had said the vulnerability 
was ‘public’ in December 2016?  I get your justification/education in 
this specific case but he has a valid point that the form needs to be 
enhanced.  There is nothing that says you cannot add the explanation as 
to how to appropriately use the ‘year’, but it is clear the form needs 
to be able to support this type of issue.  The idea was we would send 
in suggestion to enhance the submission form via real world experiences 
and this seems to fit that case. ;-)  Granted, we should normally only 
see this type of issue shortly after the 1st of any year but ...

FWIW.

---
Kent Landfield
+1.817.637.8026

On 1/5/17, 9:01 AM, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of Coffin, Chris" 
<owner-cve-editorial-board-list@lists.mitre.org on behalf of 
ccoffin@mitre.org> wrote:

    The year portion of the ID is not meant to indicate when the 
vulnerability was discovered. In general, the year portion translates 
to either the request year, or the public disclosure year. 
    
    We had explained the thought behind our process in an oss-security 
post (quoted below) a couple of years ago [1]. The following is the 
main take away from that post.
    
    "The year portion of a CVE ID typically reflects when the CVE was 
requested for non-public issues; or for already-public issues, the year 
portion typically reflects the year of disclosure. The disclosure date 
itself can be a subject of interpretation, such as when an issue is 
disclosed at a publicly-accessible URL but only likely to be noticed by 
a limited audience ("technically public") versus when the issue becomes 
"widely public" to the infosec industry."
    
    We could ask for this data in an optional field, but it might not 
be used if the requester is unclear on how the year is currently used 
in CVE. Would this be a problem on your side, i.e., you ask for a 
specific year but it's assigned something different? Also, What would 
the specific benefits be to allowing the requester to specify the year?
    
    If anyone else has any thoughts or opinions that would differ from 
this, please let us know. 
    
    [1] http://seclists.org/oss-sec/2015/q1/46
    
    Chris Coffin
    The CVE Team
    
    -----Original Message-----
    From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
    Sent: Wednesday, January 04, 2017 5:39 PM
    To: cve-editorial-board-list 
<cve-editorial-board-list@lists.mitre.org>
    Subject: CVE request form is missing an important bit
    Importance: High
    
    MITRE,
    
    The current form for requesting a CVE ID [1] only has one box that 
could be used for this, "Additional information", but does not prompt 
the question at all. The significant thing missing is that when 
requesting an ID, you should be asked what year the ID is for.
    
    e.g. I requested an ID for my day job yesterday and it even slipped 
my mind that it technically should have been a 2016 ID since the issue 
was discovered in December. As the form does not include anything to 
ask such a question, it didn't occur to me either.
    
    I believe the form needs to add a box or drop-down and request this 
information, likely with a one-liner about how the year-based 
assignments work (i.e. year it was discovered and/or disclosed to 
vendor, not publicly), to better track vulnerabilities by year.
    
    .b
    
    [1] https://cveform.mitre.org/