HP's policy on CVE assignments

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

HP's policy on CVE assignments

jericho
Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

Kurt Seifried
I guess the question is under section 2.1 of the CNA Guidelines:

"""
Assign CVE IDs to security vulnerabilities in their scope as described by the CNA’s Root CNA or the Primary CNA. CVE IDs should only be assigned to vulnerabilities that are or will be made public.2 Vulnerabilities that will not be made public do not receive CVE IDs. 
"""

What counts as "public"? I would argue releasing updates counts as public, even if they are closed source (and especially if they are open source). No CVE's definitely puts customers at risk as they may not be updating (things break), and attackers will be able to find these flaws whether or not they have CVEs (using bindiff/etc.). 

On Fri, Apr 7, 2017 at 1:13 PM, jericho <[hidden email]> wrote:
Caught this via Twitter. Thoughts?

https://twitter.com/tombkeeper/status/850275006256787456



--

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

jericho
On Fri, 7 Apr 2017, Kurt Seifried wrote:

: What counts as "public"? I would argue releasing updates counts as public,
: even if they are closed source (and especially if they are open source). No

Agreed. Over the last ten years, we have seen a big leap in reversing
patches, now to the point where many companies have automated setups to do
so. They are reliable and can pull out the vulnerable files and functions,
sometimes more details. As such, I don't see a closed source patch as
being "no public details" in today's age. Simply because technology has
risen to address that specifically.

: CVE's definitely puts customers at risk as they may not be updating
: (things break), and attackers will be able to find these flaws whether
: or not they have CVEs (using bindiff/etc.).

Agreed. Many organizations update based on the perceived need to, not just
because "hey look, shiny new version!" As such, not releasing details in a
changelog or advisory is negligent to some.

.b
Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

jericho
In reply to this post by jericho
Can MITRE weigh in on this please? Pretty significant stance for a CNA to
take, saying they will selective assign based on how a solution is
delivered. I feel this goes against the spirit and purpose of CVE.

On Fri, 7 Apr 2017, jericho wrote:

: Caught this via Twitter. Thoughts?
:
: https://twitter.com/tombkeeper/status/850275006256787456
:
Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

Adinolfi, Daniel R

Greetings,

We are contacting HP to discuss their disclosure policy to verify that it is not in conflict with the CNA Rules.

Once we have spoken to HP and have a better understanding of the issues, we will report back to the Board.

Please let us know if there are any other questions or concerns about this issue.

Thanks.

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: 781-271-5774

 

 

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Monday, April 10, 2017 at 22:59
To: cve-editorial-board-list <[hidden email]>
Subject: Re: HP's policy on CVE assignments

 

Can MITRE weigh in on this please? Pretty significant stance for a CNA to

take, saying they will selective assign based on how a solution is

delivered. I feel this goes against the spirit and purpose of CVE.

 

On Fri, 7 Apr 2017, jericho wrote:

 

: Caught this via Twitter. Thoughts?

:

:

 

Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

Kurt Seifried-2
Just a note: it might be useful to go through the CNA docs and highlight some of the potentially undefined/problematic terms/phrases, e.g. "public disclosure" and so on is so that we can maybe define them better. 

On Tue, Apr 11, 2017 at 7:41 AM, Adinolfi, Daniel R <[hidden email]> wrote:

Greetings,

We are contacting HP to discuss their disclosure policy to verify that it is not in conflict with the CNA Rules.

Once we have spoken to HP and have a better understanding of the issues, we will report back to the Board.

Please let us know if there are any other questions or concerns about this issue.

Thanks.

-Dan

_________________________

Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Communications and CNA Coordinator

Email: <[hidden email]>  Phone: <a href="tel:(781)%20271-5774" value="+17812715774" target="_blank">781-271-5774

 

 

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Monday, April 10, 2017 at 22:59
To: cve-editorial-board-list <[hidden email]>
Subject: Re: HP's policy on CVE assignments

 

Can MITRE weigh in on this please? Pretty significant stance for a CNA to

take, saying they will selective assign based on how a solution is

delivered. I feel this goes against the spirit and purpose of CVE.

 

On Fri, 7 Apr 2017, jericho wrote:

 

: Caught this via Twitter. Thoughts?

:

:

 




--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

Adinolfi, Daniel R

I have added this as another item on the Suggested Rules Changes tracking document.

 

https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes

 

-Dan

 

From: Kurt Seifried <[hidden email]>
Date: Tuesday, April 11, 2017 at 10:29
To: "Adinolfi, Daniel R" <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: HP's policy on CVE assignments

 

Just a note: it might be useful to go through the CNA docs and highlight some of the potentially undefined/problematic terms/phrases, e.g. "public disclosure" and so on is so that we can maybe define them better. 

Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

Adinolfi, Daniel R
In reply to this post by jericho

All,

 

As an update, I received an update from HP, and they are still investigating the issue internally. They plan to offer a response by the end of next week.

 

Thanks.

 

-Dan

 

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Friday, April 7, 2017 at 15:13
To: cve-editorial-board-list <[hidden email]>
Subject: HP's policy on CVE assignments

 

Caught this via Twitter. Thoughts?

 

 

Reply | Threaded
Open this post in threaded view
|

Re: HP's policy on CVE assignments

Adinolfi, Daniel R

All,

 

HP let me know this week that this issue is still on their list of things to discuss, and they hope to do so by the end of next week. They have a committee that works on these sorts of issues, and they are running the issue through that committee.

 

Thanks.

 

-Dan

 

From: "Adinolfi, Daniel R" <[hidden email]>
Date: Friday, April 14, 2017 at 12:36
To: cve-editorial-board-list <[hidden email]>
Subject: Re: HP's policy on CVE assignments

 

All,

 

As an update, I received an update from HP, and they are still investigating the issue internally. They plan to offer a response by the end of next week.

 

Thanks.

 

-Dan

 

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Friday, April 7, 2017 at 15:13
To: cve-editorial-board-list <[hidden email]>
Subject: HP's policy on CVE assignments

 

Caught this via Twitter. Thoughts?