Agenda item - broken embargoes

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Agenda item - broken embargoes

Kurt Seifried-2
So I had someone submit a CVE request to the PUBLIC form iwantacve.org, and then go "oops, can you delete that" to which I replied "no, genies out of the bottle, sorry", is there any official MITRE or CVE policy on such a thing? I know in the Open Source world (e.g. distros list) any public leak is treated as the embargo being broken because, well, it is. I'm inclined to keep that policy for the DWF, but was wondering if anyone else had any thoughts/comments/concerns? I know it's more of an internal CNA matter but it might be good to provide some guidance or at least information of the pros/cons around this.

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Agenda item - broken embargoes

Pascal Meunier
I agree that once it's been exposed publicly there's no putting it back in.  The
responsibility is obviously not yours, but is there a "safety" somewhere in the
mechanism?  If not, perhaps the tool could be made less "sharp".  I know you put
"PUBLIC" in large letters twice but it's in the middle of blobs of text.  

I can think of a number of safeties (delays, emails, etc) but my favorite would be the
following. You already have these statements "I confirm that...".  Perhaps it would be
easy to have one more like "I confirm that I want this information made irrevocably
PUBLIC NOW or that it is already PUBLIC."

Pascal

On Wed, 2018-03-21 at 09:47 -0600, Kurt Seifried wrote:

> So I had someone submit a CVE request to the PUBLIC form iwantacve.org, and
> then go "oops, can you delete that" to which I replied "no, genies out of
> the bottle, sorry", is there any official MITRE or CVE policy on such a
> thing? I know in the Open Source world (e.g. distros list) any public leak
> is treated as the embargo being broken because, well, it is. I'm inclined
> to keep that policy for the DWF, but was wondering if anyone else had any
> thoughts/comments/concerns? I know it's more of an internal CNA matter but
> it might be good to provide some guidance or at least information of the
> pros/cons around this.
>
Reply | Threaded
Open this post in threaded view
|

Re: Agenda item - broken embargoes

Kurt Seifried-2
Distributed Weakness Filing (DWF) CVE Request form for PUBLIC issues in OpenSource software v5.0
Please note that the contents of this form are made PUBLIC as a Google spreadsheet at https://pending-requests-v5.distributedweaknessfiling.org/ and anyone can add comments. You can also download all the data as an Excel file by going to https://pending-requests-xlsx-v5.distributedweaknessfiling.org/ (the download should start automatically).

The section below is the minimum mandatory questions (with the exception of the fixed version), a second optional set of questions follows. If you need CVE(s) for an embargoed issue please contact us via email. All responses MUST be in english with exceptions for email address, vendor and product names. At this time the DWF cannot support any languages other than english.

I put the word PUBLIC in caps in the title and first sentence, and made it clear you can see the results publicly with a link. 

To bad we don't have the blink tag anymore. Should I embed a video with loud audio "WARNING. THIS FORM IS FOR PUBLIC ISSUES"? =)

I don't plan to or want to have some mechanism to law things back, it's the public form, the idea being the analysts can all work on it, and ANYONE can comment on it. 


On Wed, Mar 21, 2018 at 11:24 AM, Pascal Meunier <[hidden email]> wrote:
I agree that once it's been exposed publicly there's no putting it back in.  The
responsibility is obviously not yours, but is there a "safety" somewhere in the
mechanism?  If not, perhaps the tool could be made less "sharp".  I know you put
"PUBLIC" in large letters twice but it's in the middle of blobs of text.

I can think of a number of safeties (delays, emails, etc) but my favorite would be the
following. You already have these statements "I confirm that...".  Perhaps it would be
easy to have one more like "I confirm that I want this information made irrevocably
PUBLIC NOW or that it is already PUBLIC."

Pascal

On Wed, 2018-03-21 at 09:47 -0600, Kurt Seifried wrote:
> So I had someone submit a CVE request to the PUBLIC form iwantacve.org, and
> then go "oops, can you delete that" to which I replied "no, genies out of
> the bottle, sorry", is there any official MITRE or CVE policy on such a
> thing? I know in the Open Source world (e.g. distros list) any public leak
> is treated as the embargo being broken because, well, it is. I'm inclined
> to keep that policy for the DWF, but was wondering if anyone else had any
> thoughts/comments/concerns? I know it's more of an internal CNA matter but
> it might be good to provide some guidance or at least information of the
> pros/cons around this.
>



--
Kurt Seifried
[hidden email]