Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017

To: Kurt Seifried <kseifried@redhat.com>
Subject: Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
From: jericho <jericho@attrition.org>
Date: Wed, 15 Nov 2017 12:09:49 -0600
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Wed Nov 15 13:50:52 2017
Importance: high
In-reply-to: <CANO=Ty3Bw9eT7qsSVBzRs65+xEbhDp3kpVciqWZLaP+K+kZQfA@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <DM5PR09MB1164A57009F7CC7D275E262AB1280@DM5PR09MB1164.namprd09.prod.outlook.com> <MWHPR09MB14566C5E6F01CE19610BB9E2A1280@MWHPR09MB1456.namprd09.prod.outlook.com> <CY4PR09MB14959ACE05638F0FFBD1E464F0290@CY4PR09MB1495.namprd09.prod.outlook.com> <CANO=Ty3Bw9eT7qsSVBzRs65+xEbhDp3kpVciqWZLaP+K+kZQfA@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
User-agent: Alpine 2.00 (LNX 1167 2008-08-23)

On Wed, 15 Nov 2017, Kurt Seifried wrote:

: Do we much care about the year assigned/vs the year it was asked for 
and 
: acknowledged as a security issue? Looks like HackerOne may have done 
a 
: mass 2017 assignment to a lot of old issues. e.g. 
: https://hackerone.com/reports/713

That has been the 'standard' or guideline for most of CVEs history. If 
that changes, I feel it critical that it be communicated to the 
community 
and a disclaimer added somewhere on the CVE page(s). We're rapidly 
approaching where companies will start using CVE data to make general 
statements about how many vulnerabilities were disclosed in 2017, and 
many 
do it largley based off the IDs.

Also note that many DWF assignments this year also broke from that, 
giving 
2017 assignments to issues as far back as 2012. This is not limited to 
HackerOne by any means.

Brian

Follow-Ups:
- RE: Agenda for CVE Board Meeting Wednesday, 15 November 2017
  - From: "Millar, Thomas" <Thomas.Millar@hq.dhs.gov>
- Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
  - From: Art Manion <amanion@cert.org>

References:
- Agenda for CVE Board Meeting Wednesday, 15 November 2017
  - From: Common Vulnerabilities & Exposures <cve@mitre.org>
- RE: Agenda for CVE Board Meeting Wednesday, 15 November 2017
  - From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
  - From: "Waltermire, David A. (Fed)" <david.waltermire@nist.gov>
- Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
Next by Date: RE: Agenda for CVE Board Meeting Wednesday, 15 November 2017
Previous by thread: Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017
Next by thread: RE: Agenda for CVE Board Meeting Wednesday, 15 November 2017
Index(es):
- Date
- Thread