Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Sat, 5 Mar 2016 23:53:22 +0300
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

On Sat, Mar 05, 2016 at 03:25:49PM -0500, Adam Caudill wrote:
> I very much like the idea of being able to get an ID instantly - it
> greatly simplifies an otherwise time consuming process. That said, I
> can see some issues with OVE:
> 
> * No Lookup - For a customer, going from OVE to what it represents
> could be complicated. It depends entirely on the researcher or vendor
> publishing a reference for that ID.

... or on any third-party doing it.  I expect that various existing
vulnerability databases will start listing OVE IDs along with other IDs
they're currently listing.  Whatever IDs are available for an issue.

Of course, the information will need to be available to those
third-party databases from somewhere - but this can be the researcher's
or the vendor's disclosure, as you say.  Until such disclosure, a
customer would not even be aware of the ID, let alone want to look it up.

> * Invalid Entries - As noted, there's no way to see if a given ID is
> considered valid, and while there is value to just having an ID, this
> model makes later curation more difficult. With no information behind
> the ID, there's no opportunity to later expand into a more complete
> solution.

I think there is such opportunity, it's just possibly more difficult.

> Here is what I would like to see:

This sounds similar to what Tim wanted.  Feel free to implement that.
I think if such a thing appears, there may still be interest in a
bare-bones solution, which OVE currently is.  I have no current plans to
expand OVE into a more complete solution.

> * Simple ID Request - Data required should be minimal, though I think
> a few basic items are needed. Perhaps vendor, product, version(s),
> title, and contact information.

A drawback is that such requests become somewhat security-sensitive, if
for yet unpublished issues.  This is already a major concern with CVE,
where information may be subject to unjustified risk for the purpose of
merely getting an ID assigned.

OVE currently side-steps the issue.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.