Information-technology Promotion Agency (JP) using several example CVEs (fwd)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Information-technology Promotion Agency (JP) using several example CVEs (fwd)

jericho
Suggestion:

Starting in 2018, reserve common 'example' CVEs like this for a given year
to help avoid collisions since the example may be used long before a valid
assignment. Hard to predict what people will use as an example, but I
would add -1234 and -12345 to this. I've sent several of these types of
examples to MITRE in the past. They should be able to generate a more
complete list.

.b

---------- Forwarded message ----------
From: jericho <[hidden email]>
To: CVE <[hidden email]>
Date: Wed, 17 May 2017 17:04:07 -0500 (CDT)
Subject: Information-technology Promotion Agency (JP) using several example
CVEs


FYI

https://www.ipa.go.jp/files/000058610.pdf

Slide 37:

CVE-2017-1000
CVE-2017-10000
CVE-2017-1000000
Reply | Threaded
Open this post in threaded view
|

Re: Information-technology Promotion Agency (JP) using several example CVEs (fwd)

Kurt Seifried-2
Agreed, whether we like it not, it'll happen. So In general:

CVE-YEAR-1000
CVE-YEAR-10000
CVE-YEAR-100000
CVE-YEAR-1000000
CVE-YEAR-1234
CVE-YEAR-12345
CVE-YEAR-123456
CVE-YEAR-1234567

RESERVED FOR EXAMPLES (ala example.org). 

And then we had discussed using CVE-YEAR-900000 through CVE-YEAR-999999 for testing (e.g. if you see these in the wild it's a test and you can ignore them, unless you're part of the test and want to do whatever with them). 

And that should cover pretty much all the usual cases. 



On Fri, Jun 2, 2017 at 11:03 AM, jericho <[hidden email]> wrote:
Suggestion:

Starting in 2018, reserve common 'example' CVEs like this for a given year to help avoid collisions since the example may be used long before a valid assignment. Hard to predict what people will use as an example, but I would add -1234 and -12345 to this. I've sent several of these types of examples to MITRE in the past. They should be able to generate a more complete list.

.b

---------- Forwarded message ----------
From: jericho <[hidden email]>
To: CVE <[hidden email]>
Date: Wed, 17 May 2017 17:04:07 -0500 (CDT)
Subject: Information-technology Promotion Agency (JP) using several example CVEs


FYI

https://www.ipa.go.jp/files/000058610.pdf

Slide 37:

CVE-2017-1000
CVE-2017-10000
CVE-2017-1000000



--
Kurt Seifried
[hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Information-technology Promotion Agency (JP) using several example CVEs (fwd)

jericho
On Fri, 2 Jun 2017, Kurt Seifried wrote:

: RESERVED FOR EXAMPLES (ala example.org).
:
: And then we had discussed using CVE-YEAR-900000 through CVE-YEAR-999999
: for testing (e.g. if you see these in the wild it's a test and you can
: ignore them, unless you're part of the test and want to do whatever with
: them).

Not sure off hand if that is documented anywhere for wide-spread public
consumption. While we should add it to the CNA docs, any ideas on how to
have a broader outreach in the hopes of encouraging organizations and
one-off researchers to use the designated examples?

.b