|
|
Agree that this is worthy of a discussion, special handling, and probably some documented guidelines. One thought is that the CNA should identify issues that affect other vendors and notify/coordinate where appropriate, or at the very
least contact their parent CNA so that they can share the reserved CVE ID and some limited bit of detail. It used to be the case that MITRE handled issue like this once public, though we have moved away from that in the past few years. Regards, Chris From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of Kurt Seifried So some challenges with this one: 1) it is multiple issues 2) it affects multiple vendors at the root cause level 2) it affects multiple vendors with workaround/fix (e.g.... all the OSs, sigh) So yes it is correct to say that these 3 CVE's were from Intel's CNA and thus "owned" by Intel, but it's clear that literally every OS vendor on the planet that runs on x86 (and some others...) is going to need to deal with this, so from
that perspective I think one could argue for more community "ownership" of the CVEs. I know this is a challenge the DWF faces (e.g. Linux Kernel, glibc, lots of projects that are used by literally everyone), the best way I can/could think of to fix this was the JSON format with per vendor/product statements so everyone
can have their own cake on their own table as it were. I also know MITRE has poked me in past for high visibility CVEs, and I generally agree with this, so perhaps some guidelines should be created, e.g. around severity/popularity/impact (e.g. CVSS score of 9.0 or higher and more than 10 million
affected instances should be high priority, or if it hits
cnn.com AND the BBC AND Reuters... and if the original CNA doesn't get it in quickly some other CNA is allowed to). On Wed, Jan 3, 2018 at 4:17 PM, Millar, Thomas <Thomas.Millar@hq.dhs.gov> wrote:
-- Kurt Seifried |