oss-sec mailing list archives
Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies
From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 9 Mar 2016 13:55:45 -0700
On Wed, Mar 9, 2016 at 1:34 PM, Timothy D. Morgan < tim-security () sentinelchicken org> wrote:
All - I've chatted with some of the people who fund the CVE work atMITRE.I've learned that CVEs *are* being issued, but obviously that ishappening too slowly.They're having a meeting tomorrow (March 10) to try to figure out what the problems are and how to fix it. I don't know what they'll do. However, I'm hopeful that this will mean that the CVE work will get back on track soon.Thanks David for finding the right people and raising the issue with them. I'm sure media coverage is probably helping as well: http://www.theregister.co.uk/2016/03/09/hackers_spin_up_alternative_cve_system_as_bugs_go_unchecked/ Suppose MITRE fixes their issues tomorrow and the CVE goes back to the way it was. Is that really want we need going forward? A system that's based on sending emails between humans and posting only one-line descriptions with a series of links (half of which are broken after a short time)? A system which tries to distribute the load by using "big" software vendors, many of whom have a vested interest in limiting what vulnerabilities get published in their software? It seems like we can do better than this. Infosec hasn't been "working" for some time. Perhaps we need better tools to help us get ahead of the game.
Even if Mitre had unlimited funding there will be a need for the community to be involved, especially if we're going to make sure that CVE/DWF cover important flaws (of which there are thousands right now, and we haven't even dealt with the IoT or non english software markets like China....). Putting on my info security economics hat: And I suspect the solution to this is the same as Open Source, we scale out, build a community and process that works and change as needed. DWF is one such effort. We aim to reduce the cost of vulnerability identification, and vulnerability coordination so that there's more less negative incentive (cost in time and effort) to do this right. As I've repeatedly stated the DWF wants to work with CVE/Mitre if possible, forking vulnerability identification will create additional costs (retooling all the systems and process that rely on CVE) so I want to minimize that as much as possible, the goal is to make things better and easier, not to add another standard for the sake of itself.
-- tim @ecbftw
-- -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert () redhat com
Current thread:
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Amos Jeffries (Mar 06)
- RE: [security-vendor] Re: [oss-security] Concerns about CVE coverage shrinking - direct impact to researchers/companies Radzykewycz, T (Radzy) (Mar 07)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim Brown (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies David A. Wheeler (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Boyle, Stephen V. (Mar 09)
- RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies John Scott (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Reed Loden (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Timothy D. Morgan (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Timothy D. Morgan (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Zach W. (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies halfdog (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 11)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 11)