RE: upcoming intel issue

["Millar, Thomas" <Thomas.Millar@hq.dhs.gov>]

It seems to me that it would help if the coordinators working across 
vendors to address this kind of issue would have an expectation of a 
reserved CVE.

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
jericho
Sent: Wednesday, January 3, 2018 16:57
To: Landfield, Kent <Kent_Landfield@McAfee.com>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: upcoming intel issue
Importance: High

On Wed, 3 Jan 2018, Landfield, Kent wrote:

: On your second question, you have hit one of my sore points?  I am a
: vendor, Intel is a vendor, RedHat is a vendor.  I do not want ANYONE
: creating CVEs for my company?s issues except my PSIRT team.  Vendors
: need to be given the first opportunity and only if they officially 
have
: stated they are not going to issue an appropriate CVE in a clear and
: precise way, should anyone ever get in the way of their alerting their
: customers through an established advisory process.  There is NO
: first-come-first-served with an authorized CVE CNAs.  Period.

First, I understand your point completely and appreciate it. Second, 
devil's advocate:

The first 24 hours of news coverage had the same bit; "Intel has not 
responded to our request for comment". The Wired article published 
about half an hour ago is the first I have seen to quote someone from 
Intel. 
Meanwhile, Apple already patched via workaround in macOS over a month 
ago, Linux patches have been public for some time, etc. A single 
article I have seen has given this vuln a name (Chipzilla), meaning the 
last 24+ hours this has been "the Intel bug" to some, "the Linux Kernel 
vulnerability" to others. Since CVE was designed in part to give a 
single unique identifier, it's worth discussing if high-profile issues 
w/o public vendor / CNA reference should use a different assignment 
process.

Thoughts?

Brian