Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 9 Mar 2016 09:10:04 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Concerns about CVE coverage shrinking - direct
 impact to researchers/companies

On Wed, Mar 9, 2016 at 8:59 AM, Tim Brown <tmb@...35.com> wrote:

> On Sunday 06 March 2016 21:39:54 Gsunde Orangen wrote:
>
>
> Quite, as much as I appreciate the options presented over the last few
> days, I
> don't think any of them are the winning horse.
>

It's simple. The winning horse is CVE. Or something that is fully CVE
compatible, like DWF.

To put it bluntly DWF is as close to 100% CVE compatible as it can be:

Numerically DWF can generally be mapped directly to CVE with no conflict,
if you spot a conflict between CVE and DWF please notify us so we can fix
it.

If you already have a CVE identifier you can map it directly to DWF, e.g.
CVE-2000-1234 maps directly to DWF-2000-1234.

https://github.com/distributedweaknessfiling/DWF-Documentation

Also the SPLIT/MERGE and general process for numbering authorities are
similar, if not nearly identical. I can say this with some authority having
assigned close to 5,000 CVE's =).


> As would I however, even with pointers from SC about who to poke within
> MITRE
> we came up short tracking a warm body down for (~7) months (even one that
> was
> willing to say no). That being said, we have now located a new warm body at
> MITRE who has made themselves known to us, I am more than happy to approach
> them about the following:
>

So to put it bluntly: good luck. In my role as  a Red Hat employee I'm on
the CVE Editorial board and I can't get answers out of them. I'm now
posting things like:

====
Can someone from Mitre at least confirm that they have seen this email?
It's been over a week now with no reply from Mitre on anything:

https://cve.mitre.org/data/board/archives/2016-03/msg00000.html
https://cve.mitre.org/data/board/archives/2016-03/msg00006.html
https://cve.mitre.org/data/board/archives/2016-03/msg00008.html
====



>
> Indeed, such a project requires a vendor neutral host. If OWASP are up for
> it,
> then I would gladly support them running with the above proposal, if not
> then
> a good faith alternative ought to be sought.
>

Or better yet a community led effort, like DWF that is also willing to work
with Mitre (whether or not Mitre returns the favor remains to be seen).


>
> Tim
> --
> Tim Brown
> <mailto:tmb@...35.com>
>




--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.comTo put it bluntly,

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ