Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 19 Mar 2015 14:01:04 -0600
From: Kurt Seifried <>
Subject: Re: cve-assign delays

On 03/19/2015 01:18 PM, Steven M. Christey wrote:
> We recognize that some requesters have experienced delays, and
> sometimes lengthy delays, in getting CVE IDs assigned. We apologize
> for those delays.
> The number of cve-assign requests has been growing dramatically, as
> has the number of unique and new requesters. Our goal is always to
> provide reasonable response times, and we were caught by the spike in
> requests.

Volume is definitely a problem, and only going to get worse.

> We are working to improve our responsiveness through a combination of
> process changes, improved communications, and staffing shifts.
> We appreciate your understanding and expect that you will see positive
> changes in the cve-assign response times over the coming weeks.
> Best regards,
> Steve Christey Coley

Has any consideration been given to maybe going with "Second class"
CVEs? For example in a case where a security issue is obvious (a PHP app
with XSS due to missing htmlspecialchars for example) and well
documented (link to a github commit or similar) could Mitre just assigns
the CVE, link it to the gihub commit or whatever the original source is
and it never give it a "real" description? Most of these types of issues
just need CVEs and an entry in the database with the source, I don't
think anyone cares much beyond that.

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ