Date: Thu, 11 Jun 2015 17:36:49 +0000 From: mancha <mancha1@...o.com> To: oss-security@...ts.openwall.com Cc: cve-assign@...re.org, coley@...re.org Subject: Re: Re: MITRE delays persist Thanks for your reply; Comments in-line. On Tue, Jun 09, 2015 at 01:08:51PM -0400, Steven M. Christey wrote: > > >Back in mid-March you wrote an email addressing the CVE assignment > >delays people had been experiencing.  > > > >I was relieved when I received your email because I had several > >outstanding requests and was wondering why they were being held up. > > > >Unfortunately, almost 11 weeks has passed since your email and my > >pending requests have yet to be addressed. > > > >Would you please provide an update on the steps MITRE is taking to > >become more responsive and provide a hard timeline on clearing of the > >existing backlog? > > > >For example, I have pending requests dating back to mid-February. > > > >Thank you. > > > > http://marc.info/?l=oss-security&m=142679274522902&w=2 > > Some requests are delayed because of complexity in deciding how > vulnerability information can be best represented in CVE. If there is > a vulnerability-research category, aspect, or approach that we feel > may have unexpected concerns that are specific to CVE, we prefer to > resolve that within our team, rather than follow a piecemeal approach > to the related individual requests. Accordingly, we do not designate a > timeline that applies globally to every request. I can certainly understand that. However, I looked back at my pending requests and found them rather unextraordinary. Unless I am missing something, there doesn't appear to be anything particularly complex in my reports that would merit extended internal MITRE discussion let alone four months of discussions. > If anyone needs additional confirmation that a request has indeed been > received and read, and that we are aware of it remaining unanswered, > sending directly to the cve-assign@...re.org address is the best > option. I'm not the only reporter awaiting feedback/response from MITRE. This is why a public status update from MITRE is a lot more valuable to the oss-sec community (and beyond) than are updates provided privately to individual reporters. --mancha [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ