Date: Wed, 9 Mar 2016 09:10:04 -0700 From: Kurt Seifried <kseifried@...hat.com> To: oss-security <oss-security@...ts.openwall.com> Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies On Wed, Mar 9, 2016 at 8:59 AM, Tim Brown <tmb@...35.com> wrote: > On Sunday 06 March 2016 21:39:54 Gsunde Orangen wrote: > > > Quite, as much as I appreciate the options presented over the last few > days, I > don't think any of them are the winning horse. > It's simple. The winning horse is CVE. Or something that is fully CVE compatible, like DWF. To put it bluntly DWF is as close to 100% CVE compatible as it can be: Numerically DWF can generally be mapped directly to CVE with no conflict, if you spot a conflict between CVE and DWF please notify us so we can fix it. If you already have a CVE identifier you can map it directly to DWF, e.g. CVE-2000-1234 maps directly to DWF-2000-1234. https://github.com/distributedweaknessfiling/DWF-Documentation Also the SPLIT/MERGE and general process for numbering authorities are similar, if not nearly identical. I can say this with some authority having assigned close to 5,000 CVE's =). > As would I however, even with pointers from SC about who to poke within > MITRE > we came up short tracking a warm body down for (~7) months (even one that > was > willing to say no). That being said, we have now located a new warm body at > MITRE who has made themselves known to us, I am more than happy to approach > them about the following: > So to put it bluntly: good luck. In my role as a Red Hat employee I'm on the CVE Editorial board and I can't get answers out of them. I'm now posting things like: ==== Can someone from Mitre at least confirm that they have seen this email? It's been over a week now with no reply from Mitre on anything: https://cve.mitre.org/data/board/archives/2016-03/msg00000.html https://cve.mitre.org/data/board/archives/2016-03/msg00006.html https://cve.mitre.org/data/board/archives/2016-03/msg00008.html ==== > > Indeed, such a project requires a vendor neutral host. If OWASP are up for > it, > then I would gladly support them running with the above proposal, if not > then > a good faith alternative ought to be sought. > Or better yet a community led effort, like DWF that is also willing to work with Mitre (whether or not Mitre returns the favor remains to be seen). > > Tim > -- > Tim Brown > <mailto:tmb@...35.com> > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.comTo put it bluntly,
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ