CVE Will Reject a Group of Unused CVE IDs

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

CVE Will Reject a Group of Unused CVE IDs

Adinolfi, Daniel R

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: CVE Will Reject a Group of Unused CVE IDs

Waltermire, David A.

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <[hidden email]>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: CVE Will Reject a Group of Unused CVE IDs

Coffin, Chris

Dave,

 

We are simply marking all previously unused CVE IDs as REJECT. These are the CVE IDs that CNAs told us are not assigned and are unused. Marking items as REJECT is fairly routine, though in this case we are taking about a much larger update. Is your concern specific to the number of REJECTs at once, or is it more about the fact that there may be new CVEs (i.e., non-REJECTs) mixed in with a bunch of REJECTs?

 

Note that this only affects the limited distribution CVENEW mailing list. The CVENEW mailing list has always listed REJECTs. The CVENew Twitter feed does not currently list REJECTs.

 

Chris

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, May 9, 2017 1:00 PM
To: Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: [hidden email] [[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <[hidden email]>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

Reply | Threaded
Open this post in threaded view
|

Re: CVE Will Reject a Group of Unused CVE IDs

Waltermire, David A.
My concern is around publishing a bunch of new CVE entries just to mark them rejected. Say a CNA gets assigned a million ids in the 2017 block. They use the first 100k. In 2018, do we then create entries for the remaining 900k marking them as rejected?

Regards,
Dave



On: 09 May 2017 15:04, "Coffin, Chris" <[hidden email]> wrote:

Dave,

 

We are simply marking all previously unused CVE IDs as REJECT. These are the CVE IDs that CNAs told us are not assigned and are unused. Marking items as REJECT is fairly routine, though in this case we are taking about a much larger update. Is your concern specific to the number of REJECTs at once, or is it more about the fact that there may be new CVEs (i.e., non-REJECTs) mixed in with a bunch of REJECTs?

 

Note that this only affects the limited distribution CVENEW mailing list. The CVENEW mailing list has always listed REJECTs. The CVENew Twitter feed does not currently list REJECTs.

 

Chris

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, May 9, 2017 1:00 PM
To: Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: [hidden email] [[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <[hidden email]>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: CVE Will Reject a Group of Unused CVE IDs

Coffin, Chris

We have generally tried to limit block assignments to numbers that make sense based on past usage. So we wouldn’t assign a million to a CNA unless we thought that they would be used within the year.

 

This does raise the question of DWF CVE IDs and how those would be handled. However, at this point we are not marking the entire DWF CVE ID space as RESERVED at this time. This may be something to discuss in a future Board meeting as to how DWF CVE IDs should be handled.

 

Keep in mind that this cleanup is for all years of the program (1999 - 2016). This is just a first step in the process of dealing with RESERVED CVE IDs. We fully intend to continue the overall cleanup by populating CVE IDs that are listed as RESERVED in the master list but do have information available in the public domain.

 

Chris

 

From: Waltermire, David A. (Fed) [mailto:[hidden email]]
Sent: Tuesday, May 9, 2017 4:08 PM
To: Coffin, Chris <[hidden email]>; Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE Will Reject a Group of Unused CVE IDs

 

My concern is around publishing a bunch of new CVE entries just to mark them rejected. Say a CNA gets assigned a million ids in the 2017 block. They use the first 100k. In 2018, do we then create entries for the remaining 900k marking them as rejected?

 

Regards,

Dave

 


On: 09 May 2017 15:04, "Coffin, Chris" <[hidden email]> wrote:

Dave,

 

We are simply marking all previously unused CVE IDs as REJECT. These are the CVE IDs that CNAs told us are not assigned and are unused. Marking items as REJECT is fairly routine, though in this case we are taking about a much larger update. Is your concern specific to the number of REJECTs at once, or is it more about the fact that there may be new CVEs (i.e., non-REJECTs) mixed in with a bunch of REJECTs?

 

Note that this only affects the limited distribution CVENEW mailing list. The CVENEW mailing list has always listed REJECTs. The CVENew Twitter feed does not currently list REJECTs.

 

Chris

 

From: [hidden email] [[hidden email]] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, May 9, 2017 1:00 PM
To: Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: [hidden email] [[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <[hidden email]>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: CVE Will Reject a Group of Unused CVE IDs

Coffin, Chris

All,

 

Had a quick phone conversation with Dave on this. He is working with NVD team to address any impacts this update might have on the NVD list. We are pushing this update a day later to Thursday the 11th.

 

Regards,

 

Chris

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Coffin, Chris
Sent: Tuesday, May 9, 2017 4:22 PM
To: Waltermire, David A. (Fed) <[hidden email]>; Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

We have generally tried to limit block assignments to numbers that make sense based on past usage. So we wouldn’t assign a million to a CNA unless we thought that they would be used within the year.

 

This does raise the question of DWF CVE IDs and how those would be handled. However, at this point we are not marking the entire DWF CVE ID space as RESERVED at this time. This may be something to discuss in a future Board meeting as to how DWF CVE IDs should be handled.

 

Keep in mind that this cleanup is for all years of the program (1999 - 2016). This is just a first step in the process of dealing with RESERVED CVE IDs. We fully intend to continue the overall cleanup by populating CVE IDs that are listed as RESERVED in the master list but do have information available in the public domain.

 

Chris

 

From: Waltermire, David A. (Fed) [[hidden email]]
Sent: Tuesday, May 9, 2017 4:08 PM
To: Coffin, Chris <[hidden email]>; Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE Will Reject a Group of Unused CVE IDs

 

My concern is around publishing a bunch of new CVE entries just to mark them rejected. Say a CNA gets assigned a million ids in the 2017 block. They use the first 100k. In 2018, do we then create entries for the remaining 900k marking them as rejected?

 

Regards,

Dave

 


On: 09 May 2017 15:04, "Coffin, Chris" <[hidden email]> wrote:

Dave,

 

We are simply marking all previously unused CVE IDs as REJECT. These are the CVE IDs that CNAs told us are not assigned and are unused. Marking items as REJECT is fairly routine, though in this case we are taking about a much larger update. Is your concern specific to the number of REJECTs at once, or is it more about the fact that there may be new CVEs (i.e., non-REJECTs) mixed in with a bunch of REJECTs?

 

Note that this only affects the limited distribution CVENEW mailing list. The CVENEW mailing list has always listed REJECTs. The CVENew Twitter feed does not currently list REJECTs.

 

Chris

 

From: [hidden email] [[hidden email]] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, May 9, 2017 1:00 PM
To: Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: [hidden email] [[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <[hidden email]>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

Reply | Threaded
Open this post in threaded view
|

RE: CVE Will Reject a Group of Unused CVE IDs

Waltermire, David A.

We have been able to confirm that the rejected CVEs will be ignored by the NVD. Thanks for being flexible by pushing this back a day.

 

Regards,

Dave

 

From: Coffin, Chris [mailto:[hidden email]]
Sent: Tuesday, May 09, 2017 6:34 PM
To: Coffin, Chris <[hidden email]>; Waltermire, David A. (Fed) <[hidden email]>; Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

Had a quick phone conversation with Dave on this. He is working with NVD team to address any impacts this update might have on the NVD list. We are pushing this update a day later to Thursday the 11th.

 

Regards,

 

Chris

 

From: [hidden email] [[hidden email]] On Behalf Of Coffin, Chris
Sent: Tuesday, May 9, 2017 4:22 PM
To: Waltermire, David A. (Fed) <[hidden email]>; Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

We have generally tried to limit block assignments to numbers that make sense based on past usage. So we wouldn’t assign a million to a CNA unless we thought that they would be used within the year.

 

This does raise the question of DWF CVE IDs and how those would be handled. However, at this point we are not marking the entire DWF CVE ID space as RESERVED at this time. This may be something to discuss in a future Board meeting as to how DWF CVE IDs should be handled.

 

Keep in mind that this cleanup is for all years of the program (1999 - 2016). This is just a first step in the process of dealing with RESERVED CVE IDs. We fully intend to continue the overall cleanup by populating CVE IDs that are listed as RESERVED in the master list but do have information available in the public domain.

 

Chris

 

From: Waltermire, David A. (Fed) [[hidden email]]
Sent: Tuesday, May 9, 2017 4:08 PM
To: Coffin, Chris <[hidden email]>; Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: Re: CVE Will Reject a Group of Unused CVE IDs

 

My concern is around publishing a bunch of new CVE entries just to mark them rejected. Say a CNA gets assigned a million ids in the 2017 block. They use the first 100k. In 2018, do we then create entries for the remaining 900k marking them as rejected?

 

Regards,

Dave

 


On: 09 May 2017 15:04, "Coffin, Chris" <[hidden email]> wrote:

Dave,

 

We are simply marking all previously unused CVE IDs as REJECT. These are the CVE IDs that CNAs told us are not assigned and are unused. Marking items as REJECT is fairly routine, though in this case we are taking about a much larger update. Is your concern specific to the number of REJECTs at once, or is it more about the fact that there may be new CVEs (i.e., non-REJECTs) mixed in with a bunch of REJECTs?

 

Note that this only affects the limited distribution CVENEW mailing list. The CVENEW mailing list has always listed REJECTs. The CVENew Twitter feed does not currently list REJECTs.

 

Chris

 

From: [hidden email] [[hidden email]] On Behalf Of Waltermire, David A. (Fed)
Sent: Tuesday, May 9, 2017 1:00 PM
To: Adinolfi, Daniel R <[hidden email]>; cve-editorial-board-list <[hidden email]>
Subject: RE: CVE Will Reject a Group of Unused CVE IDs

 

Will this result in the creation of a bunch of new “rejected” CVE entries in the CVE data feeds?

 

If so, I don’t think this specific approach is ideal or effective. If I am understanding this correctly, the feeds will be littered with a bunch of “rejected” entries. It may even be the case that the number of rejected entries will outnumber the actual used CVE entries.

 

While the board has agreed that sharing information about rejected and unused portions of the address space is needed, I don’t recall any decisions being made about how to do that yet. If decisions have been made, there may be some confusion about how this is proceeding.  If I am interpreting this correctly, I believe the board should discuss the specifics of this technical solution being proposed here before moving forward with making these changes.

 

Regards,

Dave

 

From: [hidden email] [[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, May 09, 2017 12:19 PM
To: Multiple recipients <[hidden email]>
Subject: CVE Will Reject a Group of Unused CVE IDs

 

All,

 

To help reduce the number of reserved but unused CVE IDs in the CVE List, the CVE Team will reject CVE IDs that CNAs have indicated as being unused from their prior CVE ID allocations. The CVE IDs affected include those from years 1999 through 2016. CVE List consumers will see 3103 reserved CVE IDs become rejected in an update on May 10th.

 

Each of these CVE entries will be updated with the following information ([Year] is replaced with four-digit year):

 

"** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or

individual who requested this candidate did not associate it with any

vulnerability during [Year]. Notes: none."

 

CNAs are given blocks of CVE IDs each year, and those CVE IDs are marked as "RESERVED" in the CVE list until they are assigned to a vulnerability and published. CNAs often do not use all the CVE IDs they are allocated, which results in many reserved CVE IDs that will never be assigned to a vulnerability.

 

Going forward, at the start of each new calendar year, the CVE Team will ask CNAs for the list of unused CVE IDs from their allocations. Once we have that list of unused CVE IDs, we will update those CVE IDs to "REJECT" status, hopefully making it clearer that the CVE IDs do not represent unannounced vulnerabilities. (For more details about the meaning of the "REJECT" status, refer to <http://cve.mitre.org/about/faqs.html#reject_signify_in_cve_id>.)

 

If there are any questions about this process, you can contact the CVE Team at <https://cveform.mitre.org/>.

 

Thanks.

 

-Dan, for the CVE Team

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774