Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 27 Apr 2009 12:56:31 -0400 (EDT)
From: Josh Bressers <bressers@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: oss-security CNA

----- "Mark J Cox" <mjc@...hat.com> wrote:
> 
> So perhaps the solution is to have the vendor CNAs play more of a role on
> the oss-security list in allocating and helping with content decisions
> rather than having to have Mitre monitor the list.  Then, each time a CNA
> gives out a CVE on oss-security they could have some requirement of a
> mimimum set of information about the allocation they have to provide in the
> same mail.  By having the CNA buffer we'd only have to involve Steve or
> Mitre when something is complex.  However, that would mean Mitre would have
> to check oss-security list before allocating any CVE names for oss-issues
> and accept there may be more duplicate allocations.
> 

I've been thinking about this lately, it's likely a good idea.

I think having an oss-security CNA that is not MITRE would be useful, and
hopefully would alleviate some of the pressure MITRE currently feels. There
would of course be collisions from time to time, but that's likely going to
still cause less pain than the current model provides.

If this idea is appealing to MITRE, we could start working out some of the
details.

-- 
    JB

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.