|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNAs using CVE IDs for Internal Bug Tracking
- To: Kurt Seifried <kurt@seifried.org>
- Subject: Re: CNAs using CVE IDs for Internal Bug Tracking
- From: jericho <jericho@attrition.org>
- Date: Fri, 24 Feb 2017 21:27:31 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: Common Vulnerabilities & Exposures <cve@mitre.org>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Sat Feb 25 12:51:34 2017
- Importance: high
- In-reply-to: <CABqVa38c-bQpY=kP1GTL6xK-Uc-mNnmNuAOpgUSSbtbrMAH8og@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB14852CB19C03C8091C58B638A1520@MWHPR09MB1485.namprd09.prod.outlook.com> <CABqVa38c-bQpY=kP1GTL6xK-Uc-mNnmNuAOpgUSSbtbrMAH8og@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Fri, 24 Feb 2017, Kurt Seifried wrote: : > One suggestion was made on the Board call that might help mitigate some of : > the problems associated with allowing this flexibility to CNAs. The : > suggestion was to create a new CVE ID status to cover CNA block : > reservations. Instead of RESERVED, we might refer to them as CNA-ASSIGNED : > or some other tag that differentiates them from other currently RESERVED : > CVE IDs. This could help CVE end-users differentiate between CVE IDs : > assigned as blocks to CNAs versus CVE IDs assigned to researchers for : > public or non-public but already identified vulnerabilities. : : I would suggest we have several main states: : : RESERVED by a CNA that plans use it (e.g. may be part of a block) - I'm : not sure we need to explicitly mention this (e.g. my block of 1 : million...) ASSIGNED by a CNA but not yet public PUBLIC That would be slick, having ASSIGNED to designate that interim state. But given the historical dismal communication between CNAs back to MITRE, that might many years in the making before it became useful/reliable. .b
- References:
- CNAs using CVE IDs for Internal Bug Tracking
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNAs using CVE IDs for Internal Bug Tracking
- From: Kurt Seifried <kurt@seifried.org>
- CNAs using CVE IDs for Internal Bug Tracking
- Prev by Date: Re: CNAs using CVE IDs for Internal Bug Tracking
- Next by Date: Re: CVE for hosted services
- Previous by thread: Re: CNAs using CVE IDs for Internal Bug Tracking
- Index(es):