Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 14 Dec 2016 08:09:09 -0700
From: Kurt Seifried <>
To: oss-security <>
Subject: Re: why many CVEs are ** RESERVED ** on Mitre

On Wed, Dec 14, 2016 at 7:36 AM, Sevan Janiyan <>

> Hello,
> On 14/12/2016 14:24, Kurt Seifried wrote:
> > ** RESERVED ** This candidate has been reserved by an organization
> > or individual that will use it when announcing a new security problem.
> > When the candidate has been publicized, the details for this
> > candidate will be provided.
> >
> > This means that the entry number has been reserved by Mitre for an issue
> or
> > a CNA has reserved the number. So in the case where a CNA requests a
> block
> > of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks
> > of 500), the CVE number will be marked as reserved even though the CVE
> > itself may not be assigned by the CNA for some time. Until the CVE is
> > assigned AND Mitre is made aware of it (e.g. the embargo passes and the
> > issue is made public), AND Mitre has researched the issue and written a
> > description of it, entries will show up as "** RESERVED **".
> This creates a situation where the Mitre site dose not provide any
> information despite, marking the CVE as reserved despite an official
> advisory for effected software referencing the CVE.

So? Also this isn't really the appropriate place for this discussion and
this will be my last reply to this thread.

> Somewhat frustrating when performing vulnerability management as the
> mitre URL is self documenting but useless to reference as a source.

I would suggest you consider getting involved in helping create CVEs if it
is such an important resource, rather then just being a somewhat classic
"Free rider"

> Sevan


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact:

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ