Fwd: RE: Delays with numerous CVE-IDs assignments (fwd)

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

Fwd: RE: Delays with numerous CVE-IDs assignments (fwd)

jericho
Following up on Kurt's mail.

I'd ask that MITRE respond in a fashion that does not blame the CVE
Editorial Board for these delays, and outright refusals to issue IDs.

Please note that MITRE also refused to issue IDs to HTBridge for
vulnerabilities in OsCommerce, with over 250,000 deployed stores, calling
it "out of scope", as seen below.

https://cve.mitre.org/data/board/archives/2012-05/msg00032.html

This thread clearly shows that the Editorial Board were not given a real
choice as far as sources, just picking the most important of a tiny subset
of sources. To wit:

    As you consider these groups, understand that we are discussing
    prioritization, not feasibility.  It may be the case that CVE's current
    practices will need to be changed to provide the stated coverage goals
    for some of these sources.  We'll address that issue in later email
    discussions.

    We'll give some indications as to why we think the second group should
    be only partially covered below.

MITRE's failure or unwillingness to issue IDs is not really as "agreed
upon with the CVE Editorial Board". We were given a few absolutely
horrible options to pick from, and now you claim to be enforcing what we
agreed on? That is shifting blame entirely.

Next, consider that I emailed CVE-assign about a potential duplicate
assignment on 2016-01-29, received an auto-reply of sorts on 2016-02-02,
had to poke MITRE again on 2016-03-02 to remind them that the two vendors
in question were IBM and Apache, both on the primary list. Only then did
they reply with the details needed to help figure out the confusion in
assignment, which is still outstanding (but now squarely looking to be on
the shoulders of the researcher, not MITRE or a CNA).

Further note that the archives are not updating, magically again, when a
negative post about the MITRE process appears. It's getting hard to write
this off as coincidence.

.b


-------- Forwarded Message --------
Subject: RE: Delays with numerous CVE-IDs assignments
Date: Thu, 18 Feb 2016 23:01:37 +0000
From: Coffin, Chris <[hidden email]>
CC: CVE ID Requests <[hidden email]>

I am very sorry for the delays in responding to these requests. The CVE
team is actively working towards providing more timely responses to all
CVE-related communications.

The MITRE CVE team has started enforcing the scope and coverage
requirements previously agreed upon with the CVE Editorial Board, and
outlined in http://cve.mitre.org/cve/data_sources_product_coverage.html.
MITRE and the CVE Editorial Board agreed upon this scope several years
ago, but only recently put it into effect by declining to assign CVE IDs
to products that are out of scope.  We are currently working with the CVE
Editorial Board to define a more up to date list of products, as well as a
process that would allow products to be added or subtracted as
appropriate, but do not know when this will be completed.

With the exception of the Exponent CMS issue that was already assigned a
CVE-ID, the listed advisories affect products that do not appear within
our published or in-development products lists and would therefore be out
of scope at this time. If you feel that this is in error and that these
products should be within the CVE scope, please feel free to provide
justification (i.e., large install base, used in many IT shops, etc.). If
you do provide justification, we will add the products to a list for a
later review and possible inclusion within the CVE product lists.

If you have any further questions or concerns, don't hesitate to ask and I
am happy to help.

Best regards,

Chris Coffin
The CVE Team
The MITRE Corporation