Date: Thu, 19 Mar 2015 14:01:04 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: cve-assign@...re.org Subject: Re: cve-assign delays On 03/19/2015 01:18 PM, Steven M. Christey wrote: > > We recognize that some requesters have experienced delays, and > sometimes lengthy delays, in getting CVE IDs assigned. We apologize > for those delays. > > The number of cve-assign requests has been growing dramatically, as > has the number of unique and new requesters. Our goal is always to > provide reasonable response times, and we were caught by the spike in > requests. Volume is definitely a problem, and only going to get worse. > We are working to improve our responsiveness through a combination of > process changes, improved communications, and staffing shifts. > > We appreciate your understanding and expect that you will see positive > changes in the cve-assign response times over the coming weeks. > > Best regards, > Steve Christey Coley Has any consideration been given to maybe going with "Second class" CVEs? For example in a case where a security issue is obvious (a PHP app with XSS due to missing htmlspecialchars for example) and well documented (link to a github commit or similar) could Mitre just assigns the CVE, link it to the gihub commit or whatever the original source is and it never give it a "real" description? Most of these types of issues just need CVEs and an entry in the database with the source, I don't think anyone cares much beyond that. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ