Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 10 Mar 2016 12:34:52 -0700
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security <oss-security@...ts.openwall.com>
Subject: Re: Concerns about CVE coverage shrinking - direct
 impact to researchers/companies

On Thu, Mar 10, 2016 at 12:25 PM, Tim <tim-security@...tinelchicken.org>
wrote:

> > It's git. You can trivially keep an entire copy the databases trivially.
> It
> > can be hosted in many places. We'd have to redo the issue tracking, but
> > bugtracking systems are not exactly hard anymore.
>
> I see that as only one component of having a distributed database.
> Who's running the cron job that constantly pulls down updates from the
> github server?  How do you ensure it's synced up when a legal threat
> causes the main repo to go black?
>

Whoever wants to. It's public. Can you give me a real world example of this
BTW, or are we just worrying about things that pretty much never happen in
real life, but make for fun email threads?


> > See above. That's the whole point of the artifacts database. Please
> reread
> > my original email maybe?
>
> > I am of course open to feedback, but please actually go to
> > https://github.com/distributedweaknessfiling/ and see what we're doing
> > first before assuming we aren't doing certain things (like making sure
> the
> > artifacts associated with a security vuln don't disappear).
>
> I did look.  Sorry I missed the artifacts.  The git repos and
> documentation make it far from obvious where that info lies.

Ok so is "A database of artifacts, files and related files for DWF
> entries (so that when websites disappear the required content is
> hopefully still available)" in an email the sum of your documentation
> on that right now?  Just want to be sure I didn't miss something else.
>

Not clear what your question is.


> Do you have ideas on how to capture vendor advisories?  Vendors are
> almost certainly, in 99% of cases, going to ignore the DWF for a long
> time.  Perhaps forever.  We're currently lucky to get many of them to
> even include a CVE # in their own advisory.  How can that information
> be captured without moderators having to do all the work?  Have you
> thought about how we can deal with the copyright issues associated
> with copying vendor content directly into the DWF for archival?
>

Vendors can submit them, to get your DWF # officially in the database you
also need to be willing to post the artifacts. So that's the big carrot for
a lot of researchers (official recognition which they can then use on their
resume/etc.).


>
> What I'm thinking is that perhaps there's a way to make vendors *want*
> to post information.  Also, perhaps there could be a way to license
>

Well with CVE we've already crossed that bridge for the ones that care,
they (like Red Hat) post CVEs, the vendors that don't care, well, they'll
continue to not care until customers speak up. One hope I have is that
getting more identifiers for issues that researchers find will give
customers the data they need to make informed decisions and maybe pressure
companies into behaving better.


> DWF numbering in such a way that vendors implicitly agree that the DWF
> can re-publish.  Or maybe there's a way to work with the Internet
> Archive to have third-party URLs archived automatically when they are
> first posted.  See:
>  https://archive-it.org/learn-more/
>
> tim
>



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.