Date: Mon, 23 Jan 2012 15:04:25 -0500 (EST) From: "Steven M. Christey" <coley@...-smtp.mitre.org> To: oss-security@...ts.openwall.com Subject: Re: CVE id assignment dates Alexander, This misconception is, unfortunately, all too common. I will look into ways of changing it on the CVE web site. The Assigned date, strictly defined, is the date on which the specific CVE *number* was first created and "committed" to the CVE database. There is no guaranteed relationship between the public disclosure date and the Assigned date. When a CNA receives a pool of numbers, the Assigned date is when that pool was created by MITRE. A CNA pool is just a list of CVE numbers that aren't even associated with a specific vulnerability. When MITRE reserves a CVE candidate for an independent, non-CNA party, the "Assigned" date reflects the day that we reserved the candidate - which is sometimes before the issue is published, and sometimes even before the vendor is notified. In other cases, MITRE independently assigns new CVEs for already-disclosed vulnerabilities, and the Assigned date reflects when we created those CVEs. In this case, the Assigned date can be AFTER the original disclosure date. We do not publish any dates related to disclosure, patch, or vendor notification; interested parties can consult other databases that explicitly track this information, such as OSVDB. - Steve On Mon, 23 Jan 2012, Solar Designer wrote: > Hi, > > It appears that many people are confused by and concerned about the > "Assigned" dates on CVE ids, not being aware that these dates often (or > even all the time?) merely reflect the assignment of a CVE id pool to a > CNA, normally before the actual vulnerabilities are discovered. > > For example, CVE-2012-0056 shows "Assigned (20111207)" - so someone > wrongly thought that this meant that kernel developers or whoever sat on > this bug for 1.5 months. > > I think cve.mitre.org web pages need to provide an explanation right > next to these dates or not show the dates. > > Alexander >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ