Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 5 Mar 2016 09:20:07 -0800
From: Tavis Ormandy <>
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

Kurt Seifried <> wrote:

> So I've now heard from several security researchers that they are unable
> to get CVEs for issues that need CVEs (e.g. widely used hardware/software
> with flaws that have real world impacts and need to be properly tracked.
> This has definitely resulted in issues being publicized with no CVE that
> then makes it much harder to track and deal with these issues.
> I'm also worryingly hearing about people that may have given up asking for
> CVEs and publicizing their work at all, but of course cannot easily
> confirm this as I don't have any access on insight into what
> is actually doing/who
> they are talking to.

That's also the case for me, I gave up trying to assign CVE's a long time
ago. It's not that Mitre are not adding value, I can see the benefit of a
carefully curated list. The problem is that they're a big bottleneck in what
is an already painful process. I started the process of becoming a CNA once
to try and alleviate some of the delays, but that process was even more
painful and I gave up after a few months (this was a long time ago).

I'd only start using CVE identifiers again if they're assigned instantly,
and the curation is non-blocking.


Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ