[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: Convergence vs. multiple data entries
On 12/13/17 4:19 PM, Kurt Seifried wrote:
Do we allow convergence of the data? (I think the obvious answer is yes)
Yes.
Do we allow multiple sets of data? (I think the answer is... maybe,
My idea is to allow essentially comments or changelog entries on a CVE
record. Outside of what git records in PRs, something that is part of
the CVE entry.
For example:
CERT/CC publishes a vulnerability and writes the corresponding CVE
entry, submits via github, entry goes into CVE corpus and on to NVD.
Red Hat disagrees with any part of the entry and wants to make a change. There's
a facility to add a comment to the entry saying: "On $date, Red Hat says:
The CVSS score is wrong, here are two new references, and the version info in the
description should be updated." Depending on the nature of the comment,
DISPUTED status is set.
Assuming such a comment can be added with little or no friction (and
here is part of the business rules discussion, who can add comments,
with or without review?), CVE consumers now have new information. The
record hasn't been changed yet. CERT/CC responds, Red Hat responds,
someone else throws in, and the public comment log has provided a path
to allow convergence. In this example, CERT/CC is a responsive CNA,
considers and agrees with the comments, and updates the CVE entry.
When reading the original CVE entry and decide I never listen to what
Red Hat says, I can ignore the comment. If I think Red Hat is right, I
can act on the comment even before the entry is converged/updated.
And if there's no convergence, maybe some other rules or review come
into play, and a CNA upstream from CERT/CC decides to make changes. Or
the comment log sits there, documenting the dispute.
I need to think/talk more about the multiple data containers idea, but the lazy
part of my brain only hears "hey, added complexity for unclear reasons."
- Art