Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 23 May 2017 08:43:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "Perry E. Metzger" <perry@...rmont.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: How to request a CVE for open source projects



On 2017-05-22 8:28 PM, Perry E. Metzger wrote:
> On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried
> <kseifried@...hat.com> wrote:
>>> Primarily, freeform discussion of the sort that occurred on this
>>> list as a natural outcropping of the CVE request process led to
>>> people linking to verification code, temporary mitigations,
>>> highlighting of incomplete fixes, and the sort of information
>>> that was requested earlier in this thread.  This ability to
>>> easily chip in to ongoing situations wasn't just useful for mitre
>>> staff doing CVE work, it was also useful for the "community of
>>> practice" looking for the latest information regarding
>>> self-defense.  I've prevented more than one attack thanks to a
>>> one-off reply from someone in response to a CVE request.    
>> You can still do this. oss-security is a list run by Solar Designer
>> (openwall.com). I happen to be a long time poster/moderator, but I
>> have no official control/etc (I don't even block posts, that's up
>> to solar, I just allow stuff or ignore it when it's up for
>> moderation).
> Maybe after CVEs are assigned the forms could be emailed to the list
> as a replacement for the old request emails, to kick off
> discussion and alert people to their existence?
>
> Perry
The primary goals of the DWF are:

1) Creating CVE Mentors that can do CVE assignments, train other CVE
Mentors, and help create CNAs
2) Creating CNAs for OpenSource so CVE assignments happen as close to
the vulnerability as possible
3) "retail" CVE assignments (e.g. people using iwantacve.org)
4) Publishing that data to MITRE quickly as per the CNA guidelines, and
the community in general (so at a minimum you can just monitor github,
there may be more options moving forwards)

And that's basically it. If people want to monitor the CVEs the DWF
assigns and run a git to email gateway essentially they are welcome to
assuming they get Solar's approval (it's his list so his rules), but
it's out of scope for the DWF at this point.

If people want the cat to have a nice bell they may have to step up and
actually put a bell on the cat.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.