Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <Pine.GSO.4.51.0811111531300.6724@faron.mitre.org>
Date: Tue, 11 Nov 2008 15:48:18 -0500 (EST)
From: "Steven M. Christey" <coley@...us.mitre.org>
To: Rémi Denis-Courmont <rem@...eolan.org>
cc: "Steven M. Christey" <coley@...us.mitre.org>,
        Nico Golde <oss-security+ml@...lde.de>,
        oss-security@...ts.openwall.com, coley@...re.org
Subject: Re: CVE id request: vlc


On Tue, 11 Nov 2008, [UTF-8] Rémi Denis-Courmont wrote:

> CVE.mitre.org says nothing about vendor obtaining a CVE number, only
> researchers. And typically, these guys don't do it, when dealing with
> videolan.org anyway.

I'm sorry, I did not mean to sound critical of you or anybody on the
oss-security mailing list.  Many consumers probably don't care if bug 1
affects a slightly different set of versions than bug 2.  It just happens
to be something that's important for CVE, and (indirectly) people who rely
on it.

I was using the vlc case as an example of a general challenge that we're
facing in CVE that's arisen as a result of the creation of the
oss-security list, which I fully support.  We certainly don't want to
interfere with the way that open source developers handle security issues.

- Steve

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.