DoD and CVE

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

DoD and CVE

Kurt Seifried-2
I can't help but feel like the DoD might need some CVE related help:


Also this raises the point of "CVE's are for public vulnerabilities" but should we maybe look at what public means/how it is defined (I imagine the DoD/related community would benefit from CVE, but not always be in a position to make the CVEs they assign truly public). Maybe a separate namespace/number space for this kind of thing? (ala IPv4 space 10.*, 172.16.* and so on). 

--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: DoD and CVE

Pascal Meunier
DoD is the most legitimate case I can think of for using their own numbering system
instead of CVEs.  They have confidentiality needs beyond what CVE can support, e.g.,
vs nation-state enemies.  What value would CVE IDs have to them, over any other
numbering system providing unique IDs?  

I can't reconcile the idea of separate private namespaces that anyone can use however
they like, with the definition of CVE IDs as unique.  They are not CVEs, they're just
numbers.  At best they could be a CNA for whatever they decide to make public, but
then why not use existing CNAs?

Pascal

On Wed, 2018-10-10 at 09:58 -0600, Kurt Seifried wrote:

> I can't help but feel like the DoD might need some CVE related help:
>
> https://www.gao.gov/mobile/products/GAO-19-128
>
> Also this raises the point of "CVE's are for public vulnerabilities" but
> should we maybe look at what public means/how it is defined (I imagine the
> DoD/related community would benefit from CVE, but not always be in a
> position to make the CVEs they assign truly public). Maybe a separate
> namespace/number space for this kind of thing? (ala IPv4 space 10.*,
> 172.16.* and so on).
>
Reply | Threaded
Open this post in threaded view
|

Re: DoD and CVE

Kurt Seifried-2
A lot of military tech now includes COTS/Open Source. It's not like these companies wrote their own realtime OS and USB drivers... 

On Wed, Oct 10, 2018 at 10:54 AM Pascal Meunier <[hidden email]> wrote:
DoD is the most legitimate case I can think of for using their own numbering system
instead of CVEs.  They have confidentiality needs beyond what CVE can support, e.g.,
vs nation-state enemies.  What value would CVE IDs have to them, over any other
numbering system providing unique IDs? 

I can't reconcile the idea of separate private namespaces that anyone can use however
they like, with the definition of CVE IDs as unique.  They are not CVEs, they're just
numbers.  At best they could be a CNA for whatever they decide to make public, but
then why not use existing CNAs?

Pascal

On Wed, 2018-10-10 at 09:58 -0600, Kurt Seifried wrote:
> I can't help but feel like the DoD might need some CVE related help:
>
> https://www.gao.gov/mobile/products/GAO-19-128
>
> Also this raises the point of "CVE's are for public vulnerabilities" but
> should we maybe look at what public means/how it is defined (I imagine the
> DoD/related community would benefit from CVE, but not always be in a
> position to make the CVEs they assign truly public). Maybe a separate
> namespace/number space for this kind of thing? (ala IPv4 space 10.*,
> 172.16.* and so on).
>


--
Kurt Seifried
[hidden email]