Re: DoD and CVE

[Pascal Meunier <pmeunier@cerias.purdue.edu>]

DoD is the most legitimate case I can think of for using their own 
numbering system
instead of CVEs.  They have confidentiality needs beyond what CVE can 
support, e.g.,
vs nation-state enemies.  What value would CVE IDs have to them, over 
any other
numbering system providing unique IDs?  

I can't reconcile the idea of separate private namespaces that anyone 
can use however
they like, with the definition of CVE IDs as unique.  They are not 
CVEs, they're just
numbers.  At best they could be a CNA for whatever they decide to make 
public, but
then why not use existing CNAs?

Pascal

On Wed, 2018-10-10 at 09:58 -0600, Kurt Seifried wrote:
> I can't help but feel like the DoD might need some CVE related help:
> 
> https://www.gao.gov/mobile/products/GAO-19-128
> 
> Also this raises the point of "CVE's are for public vulnerabilities" 
> but
> should we maybe look at what public means/how it is defined (I 
> imagine the
> DoD/related community would benefit from CVE, but not always be in a
> position to make the CVEs they assign truly public). Maybe a separate
> namespace/number space for this kind of thing? (ala IPv4 space 10.*,
> 172.16.* and so on).
>