Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 9 Jun 2015 23:24:44 +0200
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Cc: mancha <mancha1@...o.com>,
	"cve-assign@...re.org" <cve-assign@...re.org>
Subject: Re: Re: MITRE delays persist

Hi,

FWIW, you can publish when you want and a CVE can be assigned
later on.

CVE is just an identifier, not a mandatory precondition for
disclosure.

Ciao, Marcus
On Tue, Jun 09, 2015 at 07:59:01PM +0000, Seaman, Chad wrote:
> 2 weeks since disclosure/request, zero feedback, and one of my discovered vulnerabilities was submitted by a peer almost 1 week after my initial request was sent... he was given a CVE within 24 hours, I still haven't heard a peep back.
> 
> 
> 
> 
> ¯\_(ツ)_/¯
> 
> 
> 
> ________________________________________
> From: Steven M. Christey <coley@...re.org>
> Sent: Tuesday, June 9, 2015 1:08 PM
> To: mancha
> Cc: oss-security@...ts.openwall.com; cve-assign@...re.org
> Subject: [oss-security] Re: MITRE delays persist
> 
> > Back in mid-March you wrote an email addressing the CVE assignment
> > delays people had been experiencing. [1]
> >
> > I was relieved when I received your email because I had several
> > outstanding requests and was wondering why they were being held up.
> >
> > Unfortunately, almost 11 weeks has passed since your email and my
> > pending requests have yet to be addressed.
> >
> > Would you please provide an update on the steps MITRE is taking to
> > become more responsive and provide a hard timeline on clearing of the
> > existing backlog?
> >
> > For example, I have pending requests dating back to mid-February.
> >
> > Thank you.
> >
> > [1] http://marc.info/?l=oss-security&m=142679274522902&w=2
> 
> Some requests are delayed because of complexity in deciding how
> vulnerability information can be best represented in CVE. If there is a
> vulnerability-research category, aspect, or approach that we feel may have
> unexpected concerns that are specific to CVE, we prefer to resolve that
> within our team, rather than follow a piecemeal approach to the related
> individual requests. Accordingly, we do not designate a timeline that
> applies globally to every request. If anyone needs additional confirmation
> that a request has indeed been received and read, and that we are aware of
> it remaining unanswered, sending directly to the cve-assign@...re.org
> address is the best option.
> 
> 
> ---
> CVE Assignment Team, MITRE CVE Numbering Authority

-- 
Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ