RE: CVE request form is missing an important bit

["Coffin, Chris" <ccoffin@mitre.org>]

The year portion of the ID is not meant to indicate when the 
vulnerability was discovered. In general, the year portion translates 
to either the request year, or the public disclosure year. 

We had explained the thought behind our process in an oss-security post 
(quoted below) a couple of years ago [1]. The following is the main 
take away from that post.

"The year portion of a CVE ID typically reflects when the CVE was 
requested for non-public issues; or for already-public issues, the year 
portion typically reflects the year of disclosure. The disclosure date 
itself can be a subject of interpretation, such as when an issue is 
disclosed at a publicly-accessible URL but only likely to be noticed by 
a limited audience ("technically public") versus when the issue becomes 
"widely public" to the infosec industry."

We could ask for this data in an optional field, but it might not be 
used if the requester is unclear on how the year is currently used in 
CVE. Would this be a problem on your side, i.e., you ask for a specific 
year but it's assigned something different? Also, What would the 
specific benefits be to allowing the requester to specify the year?

If anyone else has any thoughts or opinions that would differ from 
this, please let us know. 

[1] http://seclists.org/oss-sec/2015/q1/46

Chris Coffin
The CVE Team

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Wednesday, January 04, 2017 5:39 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE request form is missing an important bit
Importance: High

MITRE,

The current form for requesting a CVE ID [1] only has one box that 
could be used for this, "Additional information", but does not prompt 
the question at all. The significant thing missing is that when 
requesting an ID, you should be asked what year the ID is for.

e.g. I requested an ID for my day job yesterday and it even slipped my 
mind that it technically should have been a 2016 ID since the issue was 
discovered in December. As the form does not include anything to ask 
such a question, it didn't occur to me either.

I believe the form needs to add a box or drop-down and request this 
information, likely with a one-liner about how the year-based 
assignments work (i.e. year it was discovered and/or disclosed to 
vendor, not publicly), to better track vulnerabilities by year.

.b

[1] https://cveform.mitre.org/