Re: An interesting data point

[jericho <jericho@attrition.org>]

: > And "go through the sheet history"? I find it odd that after all 
the talk 
: > and work done, even via an automation sub-group, that your 
suggestion is 
: > to go through a Google sheet history. Worse, you apparently don't 
realize 
: > that anonymous viewers cannot see the revision history of a Google 
sheet. 
: > That option is greyed out for us, so that is not a solution at all 
(see 
: > attached screenshot).

: That's my fault, I thought the view history was more public, but you 
: need edit/ownership of the sheet to see the history.

You have also disabled "download, print, and copy" on it as well. So 
your 
suggestion that I copy the sheet won't work either unfortunately. See 
attached screenshot.

: > work to improve the assignments. Imagine what the regular CVE 
consumer 
: > would face if they wanted to. 
: 
: I would point out you can contact the original requester, their email 
is 
: in the CVE.

Please note my quoted bit vs your reply, which was the same when I 
brought 
this up last round. That simply doesn't scale, and it sets up for a lot 
of 
repetition. What if Symantec, IBM, RBS, and Secunia all contacted each 
researcher with questions like that? It might discourage them from 
requesting CVEs if it results in them getting questioned by several 
orgs, 
often asking the same questions.

: > times on this list over the years, our actions as CVE board members 
cannot 
: > be about us only. We are on the board to represent CVE consumers 
and give 
: > input to the processes as they benefit the community and the entire 
CVE 
: > ecosystem.
: 
: Honestly I'm not going to make a ton of effort to please you. If you

Again. This isn't about pleasing me. I specifically said that the 
process 
should be about the CVE consumer and larger ecosystem, not me or any 
one 
org represented on the board. Example; from a mail today, where a CVE 
consumer points out the same thing I did last night in this thread:

   I can give you however one very specific feedback about something 
that
   puzzles me:
   Both in a previous request to Kurt for Erlang and in the request for
   Radware I was asked to give a public reference.
   In my impression CVEs work best (and should work) by having them
   assigned *before* disclosure, because then all announcements can 
   already contain them. So that seems odd to me and there should be a
   process how to get a CVE for things not yet disclosed.

There is an obvious gap between how DWF and MITRE handles assignments. 
Personally, I understand the difference and intent of each. But for 
researchers looking to request, the current process is not clear to 
them. 
Hanno is asking if I can help expedite CVE Request 429210 (via MITRE), 
but 
I had to tell him no, I could not because MITRE refuses to answer any 
of 
my mails on or off list (a policy they have verified to other board 
members no less).

For his multi-vendor disclosure, the current policy as he sees it, 
requires him to get some assignments via the CNA, some via DWF for open 
source, and some via MITRE for other non-OS vendors. That is perhaps 
something the board should discuss, to find a way to improve that 
process. 
Perhaps a separate request form or process for multi-vendor disclosures 
is 
the answer?

: keeping an eye on CVEs and trying to ensure their correctness I'm more
: concerned about actually scaling CVE out and up, and running 
experiments

Great, and that is *exactly* what I said in this thread! A sheet i 
can't 
see the history of, can't copy, and can't even read without navigating 
to 
each cell doesn't scale, and that is for a single person. Again, I am 
happy to make the edits to column width to make it more readable where 
it 
would be helpful (e.g. certain text blobs) and leave other columns 
small 
(e.g. URLs). If you would like to give me access for about 15 minutes, 
just long enough to make the edits, and then revoke it, that is fine 
with 
me.

Also note that Hanno, until my reply to him today, was under the 
impression he was getting edit access to that sheet to fix up his 
descriptions, which I believe based on your reply is the hold-up for 
him 
getting an assignment? I suggested to him that likely wouldn't happen 
and 
to contact you directly. If that isn't the intended process please let 
him 
know, or me and I will relay it to him.

: > For a sheet that will be updated hours/days/weeks/months/years 
later 
: > presumably... your solution to make this more readable to humans 
while in 
: > native Sheet format is for them to make a copy, each and every time 
they 
: > want to read it, and resize those columns every single time they 
make that 
: > copy?
: 
: Ahhh you misunderstand what the sheet is for. The sheet is simply a
: cheap and dirty storage mechanism which also offers commenting. If 
you'd

That is basically what I took the sheet's purpose to be. And it doesn't 
really matter what the purpose is, making it a bit more user-friendly 
doesn't hurt.

: > Again, did we lose focus on the whole 'automation' bit that seemed 
: > important earlier this year? What harm is there in making a 
one-time 
: > change that is a bit more readable for humans on a public sheet? I 
even 
: > offered to do that for you.
: 
: I'm honestly kind of tired of this. I'd make a simple request: please
: help rather than just complaining all the time.

I have offered to help, several times. On the prior thread about DWF 
assignments, I took the time to audit quite a few submissions, create 
tickets, contact researchers, and clear up a couple dozen of those 
assignments. Overall that required considerable time and effort to do 
so, 
and ultimately helps anyone using CVE as it leads to more accurate 
information. To me, that is helping.

: > There is a serious disconnect between the handful of people working 
on 
: > these CVE assignment / tracking components, and the CVE consumers, 
who 
: > this is entire ecosystem is designed for.
: 
: Ok, so what do you suggest? Will you step up and become a CVE mentor 
and 
: helpt he DWF with CVE assignments?

I have been a 'CVE mentor' for well over five years, to multiple CNAs 
and 
researchers, and spent considerable time explaining process and 
standards 
to them. Several reach out to me for help in abstraction and 
understanding 
what the current policy is. Your question here, and statement before 
that, 
accuses me of doing nothing but complaining despite me very clearly 
offering to help you with that sheet, and despite my long history of 
helping CNAs and researchers.

As time permits, I am happy to help out where I can, where I feel my 
limited time is best spent. Presently, I do not have time to help with 
day-to-day assignments for DWF. As I run into certain disclosures that 
catch my eye, I am happy to chase down more information and interact 
with 
the requesting party to get clarity on their request though.

While you and I saw eye-to-eye on many things over a year ago, I 
realize 
that we don't currently on many issues now that DWF has evolved 
considerably. That doesn't mean that I am not helping in different ways 
than you are. I'd respectfully ask that you refrain from unfounded 
disparaging comments about me on the board list.

Brian

Attachment: cve-sheet-no-copy.png
Description: Binary data