Regarding the Distributed Weakness Filing system

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Regarding the Distributed Weakness Filing system

kseifried@redhat.com
I don't know if you have seen this yet or not:


TL;DR: In my personal life I work on other projects, one of them being vulnerability identifier related. 

First off: as Kurt Seifried the Red Hat employee I still continue to want to work with the CVE Board and Mitre to improve CVE and help move it forwards. However I obviously have some significant concerns, the worst of which can now be summarized as "Mitre, why won't you talk to us?". Myself, and other board members have raised a number of concerns, for which there has been no real response from Mitre. 

I have additionally learned (and confirmed publicly) that Mitre is drastically reducing the number of CVE assignments, with many researchers stating that they have been largely unable to get CVE's for approx. 6 months now. The reasons given for not giving CVE's include "that product is not covered", "Mitre does not cover web applications" and "The vendor declined to fix the vulnerability".

I have grave concerns and I suspect other board members do as well please speak up if you do. 

CVE is far to important to the computer industry for it to be allowed to fail.
 
--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Regarding the Distributed Weakness Filing system

Pascal Meunier
On 03/07/2016 08:53 PM, Kurt Seifried wrote:
> "The vendor declined to fix the vulnerability".

That one is jaw-dropping.  By implication, if I refuse to fix it, you
can't mention it, discuss it, or issue an advisory about it?  That's
obstructing vulnerability disclosure, and a way to stimulate full
disclosure by default for future issues.

Can MITRE please report how many times this reason is used?

Pascal
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Regarding the Distributed Weakness Filing system

kseifried@redhat.com
Can someone from Mitre at least confirm that they have seen this email? It's been over a week now with no reply from Mitre on anything: 



On Mon, Mar 7, 2016 at 7:49 PM, Pascal Meunier <[hidden email]> wrote:
On 03/07/2016 08:53 PM, Kurt Seifried wrote:
"The vendor declined to fix the vulnerability".

That one is jaw-dropping.  By implication, if I refuse to fix it, you can't mention it, discuss it, or issue an advisory about it?  That's obstructing vulnerability disclosure, and a way to stimulate full disclosure by default for future issues.

Can MITRE please report how many times this reason is used?

Pascal



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: [hidden email]
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: Regarding the Distributed Weakness Filing system

Stephen Boyle
Administrator

Kurt and Pascal,

 

Confirmed. The CVE Team received the emails and is reviewing the issues that you and others have raised. We apologize for the delay in responding and we are working to address those issues by 03/11/16. Going forward, the team will strive for same-day response to messages from the CVE Editorial Board List, but no longer than one business day.  

 

Thank you for your contributions and for your patience as we work to improve our processes.

 

The CVE Team

 

From: Kurt Seifried [mailto:[hidden email]]
Sent: Wednesday, March 09, 2016 9:46 AM
To: Pascal Meunier <[hidden email]>; Boyle, Stephen V. <[hidden email]>
Cc: cve-editorial-board-list <[hidden email]>
Subject: Re: Regarding the Distributed Weakness Filing system

 

Can someone from Mitre at least confirm that they have seen this email? It's been over a week now with no reply from Mitre on anything: 

 

 

 

On Mon, Mar 7, 2016 at 7:49 PM, Pascal Meunier <[hidden email]> wrote:

On 03/07/2016 08:53 PM, Kurt Seifried wrote:

"The vendor declined to fix the vulnerability".


That one is jaw-dropping.  By implication, if I refuse to fix it, you can't mention it, discuss it, or issue an advisory about it?  That's obstructing vulnerability disclosure, and a way to stimulate full disclosure by default for future issues.

Can MITRE please report how many times this reason is used?

Pascal



 

--

 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 
[hidden email]

Loading...