[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Agenda for CVE Board Meeting Wednesday, 15 November 2017



On 2017-11-15 13:09, jericho wrote:
> : Do we much care about the year assigned/vs the year it was asked 
> for and 
> : acknowledged as a security issue? Looks like HackerOne may have 
> done a 
> : mass 2017 assignment to a lot of old issues. e.g. 
> : https://hackerone.com/reports/713
> 
> That has been the 'standard' or guideline for most of CVEs history. 
> If 
> that changes, I feel it critical that it be communicated to the 
> community 
> and a disclaimer added somewhere on the CVE page(s). We're rapidly 
> approaching where companies will start using CVE data to make general 
> statements about how many vulnerabilities were disclosed in 2017, and 
> many 
> do it largley based off the IDs.

While I'm familiar with the history, and generally still agree that the 
YYYY in a CVE ID should match the year the vulnerability was made 
public (*), it's going to be more and more difficult to enforce.  We 
already spend effort fixing assignments around year boundaries.  So my 
version of the documentation would read:

"Reasonable effort is made to match the YYYY portion of CVE IDs with 
the year the vulnerability was made public, however, this is not always 
the case, so don't depend on it being 100% accurate."

Regards,

 - Art


(*) YYYY is meant to be the year the vulnerability (not the CVE ID) was 
published, right?  Not year the CVE ID was requested, assigned, or 
published?


Page Last Updated or Reviewed: November 16, 2017