|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
dispute resolution
- To: "cve-editorial-board-list@lists.mitre.org" <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: dispute resolution
- From: Art Manion <amanion@cert.org>
- Date: Wed, 6 Dec 2017 10:38:19 -0500
- Authentication-results: spf=none (sender IP is 198.49.146.235) smtp.mailfrom=LISTS.MITRE.ORG; imc.mitre.org; dkim=none (message not signed) header.d=none;imc.mitre.org; dmarc=fail action=none header.from=cert.org;
- Cc: Carsten Eiram <che@riskbasedsecurity.com>
- Delivery-date: Wed Dec 6 10:54:17 2017
- Dkim-filter: OpenDKIM Filter v2.11.0 taper.sei.cmu.edu vB6FcPN9021543
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.4.0
We're repeatedly running into issues with how to handle disputes. This
should be expected with the increasing number of CNAs and federation.
A few recent examples:
"An interesting data point" thread
"Problematic assignments for subpar reports via CVE request form"
thread (Lin Wang)
On 2017-12-06 10:00, Waltermire, David A. (Fed) wrote:
> Under #3 or as a separate item, I'd like to have us explore what the
> workflow
> could be for submitting corrections to another organizations. For
> example, what
> if the NVD finds a spelling error in a CVE entry description or a
> fixed broken
> reference? How could we submit a pull request to kick off a workflow
> to allow
> that feedback to be addressed by the appropriate party? What degree of
> automation could we use to support this?
While we will always need board and CNA discussions to work out
emerging issues and policy and technology solutions, I suggest we look
at something more distributed and lower effort.
I see at least two classes of dispute that get
conceptually/subjectively difficult to resolve:
1. "not a vulnerability"
2. Split/merge
Here is just one idea.
Continue with the current assignment rules and CNA expansion (and
expanding the git/github pilot).
For any dispute, flag the entry (possibly using the existing DISPUTED
state/status, although I also want to review CVE states). Along with
the flag there needs to be a way to capture the nature of the dispute,
possibly a short text/log entry, like "crash only." Also the source of
the dispute.
On ${date} Carsten disputes CVE-2016-LINWANG with reason "crash only,
no evidence of security impact."
The rest of the CVE downstream ecosystem can keep right on moving.
Those who want to treat disputed entries differently are free to do so.
And if/when a dispute is resolved, update the entry.
Who has dispute permissions? Board members, CNAs, anyone?
For split/merge issues, the dispute logging feature could record the
proposed relationships:
https://github.com/FIRSTdotorg/vrdx-sig-vxref-wip/blob/master/vxref/schema/vxref_schema_03.json
I'd suggest this as a board meeting agenda item, although I'm doubtful
for the 12/13 meeting.
Regards,
- Art
- Follow-Ups:
- RE: dispute resolution
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: dispute resolution
- From: Kurt Seifried <kseifried@redhat.com>
- RE: dispute resolution
- Prev by Date: RE: CNA Rules Revision - Final Draft
- Next by Date: RE: dispute resolution
- Previous by thread: RE: CNA Rules Revision - Final Draft
- Next by thread: RE: dispute resolution
- Index(es):