Date: Sat, 5 Mar 2016 09:20:07 -0800 From: Tavis Ormandy <taviso@...xchg8b.com> To: oss-security@...ts.openwall.com Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried <kseifried@...hat.com> wrote: > So I've now heard from several security researchers that they are unable > to get CVEs for issues that need CVEs (e.g. widely used hardware/software > with flaws that have real world impacts and need to be properly tracked. > This has definitely resulted in issues being publicized with no CVE that > then makes it much harder to track and deal with these issues. > > I'm also worryingly hearing about people that may have given up asking for > CVEs and publicizing their work at all, but of course cannot easily > confirm this as I don't have any access on insight into what > cve-assign@...re.org is actually doing/who > they are talking to. > That's also the case for me, I gave up trying to assign CVE's a long time ago. It's not that Mitre are not adding value, I can see the benefit of a carefully curated list. The problem is that they're a big bottleneck in what is an already painful process. I started the process of becoming a CNA once to try and alleviate some of the delays, but that process was even more painful and I gave up after a few months (this was a long time ago). I'd only start using CVE identifiers again if they're assigned instantly, and the curation is non-blocking. Tavis.
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ