Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 10 Feb 2017 20:43:45 -0800
From: Tim <tim-security@...tinelchicken.org>
To: oss-security@...ts.openwall.com
Subject: Re: MITRE is adding data intake to its CVE ID process


> Once it's completely up and running, DWF should address these issues.
> Researchers and organizations can easily become CNAs under DWF, with
> assigned CVE blocks. For OSS, the process of getting a CVE (including
> pre-publication) should be much simpler than it has been, especially
> in recent years. It's not quite there yet, but Kurt and team have put
> a lot of effort into laying the groundwork for a much better solution
> than the ad-hoc "send an email and hope" process that we've become
> accustomed to.
> 
> The old system was far from perfect, as is the interim MITRE web form
> - hopefully with the help of the community, DWF will be able to
> provide a better process for all involved. For OSS, DWF is the
> solution we need to be focused on, and helping it to evolve to suit
> the needs of everyone.

Thanks for the update on where that is going.  I'm cautiously hopeful
that this will be what open source folks need in the future.


> > - The most telling though is the entire CNA program, particularly when
> >   it allowed only commercial vendors.  If a vendor decides something
> >   isn't a problem, they can block or slow CVE assignment.  It's a
> >   corruption of service that ought to be for the public benefit.  (And
> >   yes, this does happen.)
> 
> While I believe that DWF represents a substantial step forward for
> OSS, and getting CVEs to those that need them, when they need them; my
> feelings on CVEs for commercial software remain rather negative. I've
> stopped requesting CVEs for commercial software due to all of the
> issues - if I discover something where I believe a CVE is especially
> important, I direct the request through CERT/CC or another
> origination. But, this is getting off-topic.

I'm glad I'm not the only one who is frustrated with this.  I too have
given up on putting my effort into getting CVEs for most things.  If
someone else gets it assigned in a timely manner and I happen to
notice, fine I'll put it in an advisory, but I'm no longer requesting
CVEs for vulns in commercial software.  (Were this resignation to be
widespread, it should be a huge red flag for MITRE.)

Corporate vendor vuln assignment does seem like this is a completely
different animal than open source assignment now, based on how MITRE
is (and has been) structuring things.  The fact that the two are
treated differently is a big source of my loss of faith in their
ability to run the program.

tim

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ