|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNAs using CVE IDs for Internal Bug Tracking
- To: Common Vulnerabilities & Exposures <cve@mitre.org>
- Subject: Re: CNAs using CVE IDs for Internal Bug Tracking
- From: jericho <jericho@attrition.org>
- Date: Fri, 24 Feb 2017 16:36:34 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Sat Feb 25 12:51:35 2017
- Importance: high
- In-reply-to: <MWHPR09MB14852CB19C03C8091C58B638A1520@MWHPR09MB1485.namprd09.prod.outlook.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB14852CB19C03C8091C58B638A1520@MWHPR09MB1485.namprd09.prod.outlook.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Fri, 24 Feb 2017, Coffin, Chris wrote: : As part of the Feb 22 CVE Board call, the Board discussed CNAs using CVE : IDs as part of their internal bug tracking. Specifically, when assigning : CVE IDs early in the vulnerability management process by the CNA, CVE : IDs may be assigned to issues where the details are not fully understood : yet (e.g., the issue is later found to not be a vulnerability, multiple : vulnerabilities turn out to be one, etc.) or for which there is never an : intention to make them public. We know there are software maintainers : that would like to function in this way. CVE would like to reach out to : the Board as a whole and CNAs to better inform any decision made : regarding whether this should be allowed. To me, this is a pretty simple 'fix' based on dealing with most of the CNAs in a variety of ways, including reporting dozens of vulns. : Some CNAs currently assign CVE IDs as a final step before publication, e.g. Oracle. I have traded mails with Bruce about this (and after our emails, they are evaluating my feedback), saying that I do not agree with this policy (and others pertaining to CVE assignment). One thing he and others bring up is what you did above. Assigning before details are figured out or the issue is validated. The easy fix to that is assign as soon as the vendor confirms it is a valid issue that warrants a CVE. That will put the assignment somewhere between day 1 (reporting) and day X (disclosure) that is not on day X or day X-1. So I vote for flexibility... but I strongly vote against blindly assigning on day 1, and I strongly vote against assigning day X. .b
- References:
- CNAs using CVE IDs for Internal Bug Tracking
- From: "Coffin, Chris" <ccoffin@mitre.org>
- CNAs using CVE IDs for Internal Bug Tracking
- Prev by Date: RE: CVE for hosted services
- Next by Date: RE: CVE for hosted services
- Previous by thread: CNAs using CVE IDs for Internal Bug Tracking
- Next by thread: Re: CNAs using CVE IDs for Internal Bug Tracking
- Index(es):