Date: Tue, 9 Jun 2015 23:24:44 +0200 From: Marcus Meissner <meissner@...e.de> To: oss-security@...ts.openwall.com Cc: mancha <mancha1@...o.com>, "cve-assign@...re.org" <cve-assign@...re.org> Subject: Re: Re: MITRE delays persist Hi, FWIW, you can publish when you want and a CVE can be assigned later on. CVE is just an identifier, not a mandatory precondition for disclosure. Ciao, Marcus On Tue, Jun 09, 2015 at 07:59:01PM +0000, Seaman, Chad wrote: > 2 weeks since disclosure/request, zero feedback, and one of my discovered vulnerabilities was submitted by a peer almost 1 week after my initial request was sent... he was given a CVE within 24 hours, I still haven't heard a peep back. > > > > > ¯\_(ツ)_/¯ > > > > ________________________________________ > From: Steven M. Christey <coley@...re.org> > Sent: Tuesday, June 9, 2015 1:08 PM > To: mancha > Cc: oss-security@...ts.openwall.com; cve-assign@...re.org > Subject: [oss-security] Re: MITRE delays persist > > > Back in mid-March you wrote an email addressing the CVE assignment > > delays people had been experiencing.  > > > > I was relieved when I received your email because I had several > > outstanding requests and was wondering why they were being held up. > > > > Unfortunately, almost 11 weeks has passed since your email and my > > pending requests have yet to be addressed. > > > > Would you please provide an update on the steps MITRE is taking to > > become more responsive and provide a hard timeline on clearing of the > > existing backlog? > > > > For example, I have pending requests dating back to mid-February. > > > > Thank you. > > > >  http://marc.info/?l=oss-security&m=142679274522902&w=2 > > Some requests are delayed because of complexity in deciding how > vulnerability information can be best represented in CVE. If there is a > vulnerability-research category, aspect, or approach that we feel may have > unexpected concerns that are specific to CVE, we prefer to resolve that > within our team, rather than follow a piecemeal approach to the related > individual requests. Accordingly, we do not designate a timeline that > applies globally to every request. If anyone needs additional confirmation > that a request has indeed been received and read, and that we are aware of > it remaining unanswered, sending directly to the cve-assign@...re.org > address is the best option. > > > --- > CVE Assignment Team, MITRE CVE Numbering Authority -- Marcus Meissner,SUSE LINUX GmbH; Maxfeldstrasse 5; D-90409 Nuernberg; Zi. 3.1-33,+49-911-740 53-432,,serv=loki,mail=wotan,type=real <meissner@...e.de>
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ