Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Jun 2015 19:59:01 +0000
From: "Seaman, Chad" <cseaman@...mai.com>
To: mancha <mancha1@...o.com>, "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>
CC: "cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: Re: MITRE delays persist

2 weeks since disclosure/request, zero feedback, and one of my discovered vulnerabilities was submitted by a peer almost 1 week after my initial request was sent... he was given a CVE within 24 hours, I still haven't heard a peep back.




¯\_(ツ)_/¯



________________________________________
From: Steven M. Christey <coley@...re.org>
Sent: Tuesday, June 9, 2015 1:08 PM
To: mancha
Cc: oss-security@...ts.openwall.com; cve-assign@...re.org
Subject: [oss-security] Re: MITRE delays persist

> Back in mid-March you wrote an email addressing the CVE assignment
> delays people had been experiencing. [1]
>
> I was relieved when I received your email because I had several
> outstanding requests and was wondering why they were being held up.
>
> Unfortunately, almost 11 weeks has passed since your email and my
> pending requests have yet to be addressed.
>
> Would you please provide an update on the steps MITRE is taking to
> become more responsive and provide a hard timeline on clearing of the
> existing backlog?
>
> For example, I have pending requests dating back to mid-February.
>
> Thank you.
>
> [1] http://marc.info/?l=oss-security&m=142679274522902&w=2

Some requests are delayed because of complexity in deciding how
vulnerability information can be best represented in CVE. If there is a
vulnerability-research category, aspect, or approach that we feel may have
unexpected concerns that are specific to CVE, we prefer to resolve that
within our team, rather than follow a piecemeal approach to the related
individual requests. Accordingly, we do not designate a timeline that
applies globally to every request. If anyone needs additional confirmation
that a request has indeed been received and read, and that we are aware of
it remaining unanswered, sending directly to the cve-assign@...re.org
address is the best option.


---
CVE Assignment Team, MITRE CVE Numbering Authority

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ