Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 11 Jun 2015 17:36:49 +0000
From: mancha <mancha1@...o.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org, coley@...re.org
Subject: Re: Re: MITRE delays persist

Thanks for your reply; Comments in-line.

On Tue, Jun 09, 2015 at 01:08:51PM -0400, Steven M. Christey wrote:
> 
> >Back in mid-March you wrote an email addressing the CVE assignment
> >delays people had been experiencing. [1]
> >
> >I was relieved when I received your email because I had several
> >outstanding requests and was wondering why they were being held up.
> >
> >Unfortunately, almost 11 weeks has passed since your email and my
> >pending requests have yet to be addressed.
> >
> >Would you please provide an update on the steps MITRE is taking to
> >become more responsive and provide a hard timeline on clearing of the
> >existing backlog?
> >
> >For example, I have pending requests dating back to mid-February.
> >
> >Thank you.
> >
> >[1] http://marc.info/?l=oss-security&m=142679274522902&w=2
> 
> Some requests are delayed because of complexity in deciding how
> vulnerability information can be best represented in CVE. If there is
> a vulnerability-research category, aspect, or approach that we feel
> may have unexpected concerns that are specific to CVE, we prefer to
> resolve that within our team, rather than follow a piecemeal approach
> to the related individual requests. Accordingly, we do not designate a
> timeline that applies globally to every request.

I can certainly understand that. However, I looked back at my pending
requests and found them rather unextraordinary. Unless I am missing
something, there doesn't appear to be anything particularly complex in
my reports that would merit extended internal MITRE discussion let alone
four months of discussions.

> If anyone needs additional confirmation that a request has indeed been
> received and read, and that we are aware of it remaining unanswered,
> sending directly to the cve-assign@...re.org address is the best
> option.

I'm not the only reporter awaiting feedback/response from MITRE. This is
why a public status update from MITRE is a lot more valuable to the
oss-sec community (and beyond) than are updates provided privately to
individual reporters.

--mancha

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ