Re: An interesting data point

[Kurt Seifried <kseifried@redhat.com>]

On Mon, Dec 4, 2017 at 10:26 PM, jericho <jericho@attrition.org> wrote:
>
> On Mon, 4 Dec 2017, Kurt Seifried wrote:
>
> : Sorry I should be more clear: this is current data in the 
> spreadsheet
> : that hasn't yet had CVE's assigned.
> :
> : 
> https://docs.google.com/spreadsheets/d/1Jq_OpPxS5q8dLYdoWjKmklQG2AH8d9vl_2oKp-eGwA0
> :
> : There's also some historical rejects/etc (e.g. stuff that was beyond
> : saving or I never got a reply) in the other tabs of that 
> spreadsheet.
>
> Ok wow, that expands things a bit. So three things based on a quick 
> skim:
>
> #1 2017-1000186 doesn't appear to be in there, yet is a DWF 
> assignment.
> Makes me think that your original mail applies to this sheet only. 
> Makes
> me wonder what the status codes for prior assignments would look 
> like, in
> a summary as you originally provided. That said, this sheet, along 
> with
> the original mail, still doesn't give me the info needed to answer my
> question about 1000186.

You can check the git history and the spreadsheet history for info on 
1000186.

>
> #2 Line 211/212, can you assign these ASAP? Hanno reached out to me
> earlier today, frustrated at the time it has taken to get an 
> assignment
> for WolfSSL, as his intended multi-vendor disclosure date looms 
> closer.
> Please respond to him directly.

Uh. 2 comments: one I told him to write better descriptions/etc. and
leave them as a comment. Secondly: this sheet is public.

"Please note that the contents of this form are made PUBLIC at
https://pending-requests.distributedweaknessfiling.org/ and anyone can
add comments. "

so .. a disclosure date.. er... ok then.

>
> #3 I get that the sheet makes export and CSV manipulation easy, but 
> would
> someone expand the columns to make this more easily readable to 
> humans, or
> give me permission so I can do it? =)

Nope. You can download/make a copy if needed.

>
> .b
>
>
> : On Mon, Dec 4, 2017 at 10:12 PM, jericho <jericho@attrition.org> 
> wrote:
> : >
> : > On Mon, 4 Dec 2017, Kurt Seifried wrote:
> : >
> : > : So from the current crop of CVE requests the DWF got:
> : > :
> : > :  7 BAD:DESCRIPTION
> : > :    8 BAD:DESCRIPTION:MISSING:DETAILS
> : > :   23 
> BAD:DESCRIPTION:MISSING:PRODUCT,BAD:DESCRIPTION:MISSING:VERSION
> : > :   19 BAD:DESCRIPTION:MISSING:VERSION
> : > :    1 BAD:MULTIPLE_ISSUES
> : > :   11 BAD:REF_URL
> : > :    1 
> BAD:REF_URL,BAD:DESCRIPTION:MISSING:VERSION,BAD:DESCRIPTION:MISSING:PRODUCT
> : > :    2 BAD:VULN_TYPE
> : > :    1 NEEDINFO
> : > :  153 OK
> : > :
> : > : The status codes are at
> : > : 
> https://github.com/distributedweaknessfiling/DWF-Documentation/blob/master/DWF-STATUS-ERROR-CODES-for-CVE-requests.md
> : > : but should be pretty self evident. The good news is that a lot 
> of these
> : > : can be fixed without to much work, but I definitely need to 
> figure out
> : > : how to help people make better requests/write the descriptions 
> (or auto
> : > : generate them.. I think that's the way to go).
> : >
> : > Out of curiosity, since the information above doesn't let me 
> figure it
> : > out, what was the disposition code for CVE-2017-1000186? Curious 
> if that
> : > was one of the non-OK entries.
> : >
> : > Brian
> :
> :
> :
> : --
> :
> : Kurt Seifried -- Red Hat -- Product Security -- Cloud
> : PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
> : Red Hat Product Security contact: secalert@redhat.com
> :



-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com