Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Jan 2012 23:26:40 +0400
From: Solar Designer <>
Subject: CVE id assignment dates


It appears that many people are confused by and concerned about the
"Assigned" dates on CVE ids, not being aware that these dates often (or
even all the time?) merely reflect the assignment of a CVE id pool to a
CNA, normally before the actual vulnerabilities are discovered.

For example, CVE-2012-0056 shows "Assigned (20111207)" - so someone
wrongly thought that this meant that kernel developers or whoever sat on
this bug for 1.5 months.

I think web pages need to provide an explanation right
next to these dates or not show the dates.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.