|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: clarification / statement on recent CVE abstraction policy changes and more
- To: Common Vulnerabilities & Exposures <cve@mitre.org>
- Subject: RE: clarification / statement on recent CVE abstraction policy changes and more
- From: jericho <jericho@attrition.org>
- Date: Mon, 6 Mar 2017 17:54:26 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Tue Mar 7 07:45:12 2017
- Importance: high
- In-reply-to: <MWHPR09MB14854D586D8AAA6A711E6135A12C0@MWHPR09MB1485.namprd09.prod.outlook.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1703051829340.19881@forced.attrition.org> <MWHPR09MB14854D586D8AAA6A711E6135A12C0@MWHPR09MB1485.namprd09.prod.outlook.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Mon, 6 Mar 2017, Coffin, Chris wrote: : changes were previously discussed with the CVE Board. Also note that : these examples include a description that was written by the requester : and submitted via the CVE web form. Using requester-provided : descriptions is one part of our overall strategy to scale the CVE : program. I think the CVE entry should have a way to flag it as such, so that consumers know this was not written by MITRE and may not meet MITRE's historical standards. That would be a simple addition to the process, a check box essentially, and way to visually flag it. : > The first issue is just odd, and seems like someone was in a hurry, : > but this is problematic to sites using CVE data to generate stats, as : > the product names potentially don't match prior entries : : While these examples are generally not the norm, MITRE has not attempted : to normalize product names. We have always expected those who build on And yet, MITRE has done a good job normalizing products in descriptions historically. =) : > I also noticed that whoever made these recent entries didn't include the obvious fixing commits that were referenced in the bug tickets. : : MITRE's policy does not require including the fixing commits, even : though we have done so in previous cases. Also, if another reference can : be easily found via one already included then we may skip the former. Policy maybe not, but given the excessively detailed replies to some issues on oss-sec in the past, and digging into the commit to the tune of 30 minutes of coding/vuln analysis becomes quite the contrast to "didn't link the fixing commit that was in the bug entry linked". : > An apparent change in abstraction rule where five IDs were assigned : > for XSS issues that previously would have received one ID (e.g. : > CVE-2017-6487, CVE-2017-6488, CVE-2017-6489, CVE-2017-6490, and : > CVE-2017-6491) : : In this case the requester provided separate reports that appeared to be : independently fixable. The change to split by independently fixable : vulnerabilities rather than vulnerability type was enacted with the new : CNA Rules. Interesting, thanks. .b
- References:
- clarification / statement on recent CVE abstraction policy changes and more
- From: jericho <jericho@attrition.org>
- RE: clarification / statement on recent CVE abstraction policy changes and more
- From: "Coffin, Chris" <ccoffin@mitre.org>
- clarification / statement on recent CVE abstraction policy changes and more
- Prev by Date: Re: CVE for hosted services
- Next by Date: Agenda for CVE Board Meeting March 8 (Wednesday)
- Previous by thread: RE: clarification / statement on recent CVE abstraction policy changes and more
- Next by thread: Agenda for CVE Board Meeting March 8 (Wednesday)
- Index(es):