oss-sec mailing list archives
Re: MITRE is adding data intake to its CVE ID process
From: "Priedhorsky, Reid" <reidpr () lanl gov>
Date: Mon, 13 Feb 2017 16:40:29 +0000
On Feb 10, 2017, at 8:59 PM, cve-assign () mitre org<mailto:cve-assign () mitre org> wrote: C5. I want MITRE to send the https://cveform.mitre.org<https://cveform.mitre.org/> form data, and the CVE ID, to the oss-security list at the same time that these are sent to the requester. R5. We have had internal discussions within MITRE about this. We are able to implement this easily if the community requires this approach. At the moment, we are expecting the requester to resend this information to oss-security once they accept their CVE ID assignment. Please see http://www.openwall.com/lists/oss-security/2017/02/09/26 for an example. C6. I want MITRE to send the https://cveform.mitre.org<https://cveform.mitre.org/> form data to the oss-security list as soon as that data is entered (i.e., before a CVE ID exists). R6. We have had internal discussions within MITRE about this. We are not yet able to implement this easily. We may work on this if the community requires this approach. However, our understanding of CVE consumers is that they look to MITRE as a source of vulnerability information after a CVE ID number exists, not before. I’m glad to see the feedback taken seriously as well. Recall that my oss-security use case was to maintain a reasonably comprehensive list of vulnerabilities for specific products. This workflow looked like: 1. See a notification (whether CVE request or not) on oss-security regarding products I’m interested in. 2. Add the vulnerability to my list. 3. Monitor the thread for additional information (patch, CVE assignment, etc.) Like others, timely notification is more important for me than the CVE itself, but the CVE does help because it means list entries eventually get a unique ID. I would like to see both C5 and C6 implemented as soon as practical. As for whether it’s appropriate to send form data to oss-security immediately, I believe the right approach is to simply add the send/not send choice to the web form, required, with no default, so people must make a deliberate choice. The alternatives I’ve seen raised would not be adequate for me. Specifically, depending on people to forward their stuff to the list is too brittle (people won’t do it reliably), and watching an XML feed requires setting up and maintaining software for a new data feed. Thanks, Reid
Current thread:
- Re: MITRE is adding data intake to its CVE ID process, (continued)
- Re: MITRE is adding data intake to its CVE ID process cve-assign (Feb 10)
- Re: MITRE is adding data intake to its CVE ID process Solar Designer (Feb 11)
- Re: MITRE is adding data intake to its CVE ID process Kurt Seifried (Feb 12)
- Re: MITRE is adding data intake to its CVE ID process Ian Zimmerman (Feb 13)
- Re: MITRE is adding data intake to its CVE ID process Ian Zimmerman (Feb 13)
- Re: Re: MITRE is adding data intake to its CVE ID process Kurt Seifried (Feb 13)
- Re: MITRE is adding data intake to its CVE ID process Solar Designer (Feb 11)
- Re: MITRE is adding data intake to its CVE ID process Raphael Geissert (Feb 15)
- Re: MITRE is adding data intake to its CVE ID process Fabio Olive Leite (Feb 16)
- Re: MITRE is adding data intake to its CVE ID process Solar Designer (Feb 16)
- Re: MITRE is adding data intake to its CVE ID process cve-assign (Feb 10)
- RE: MITRE is adding data intake to its CVE ID process Maier, Kurt H (Feb 13)
- Re: MITRE is adding data intake to its CVE ID process Henri Salo (Feb 15)