Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Mon, 23 Jan 2012 15:04:25 -0500 (EST)
From: "Steven M. Christey" <coley@...-smtp.mitre.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE id assignment dates


Alexander,

This misconception is, unfortunately, all too common.  I will look into 
ways of changing it on the CVE web site.

The Assigned date, strictly defined, is the date on which the specific CVE 
*number* was first created and "committed" to the CVE database.  There is 
no guaranteed relationship between the public disclosure date and the 
Assigned date.

When a CNA receives a pool of numbers, the Assigned date is when that pool 
was created by MITRE.  A CNA pool is just a list of CVE numbers that 
aren't even associated with a specific vulnerability.

When MITRE reserves a CVE candidate for an independent, non-CNA party, the 
"Assigned" date reflects the day that we reserved the candidate - which is 
sometimes before the issue is published, and sometimes even before the 
vendor is notified.

In other cases, MITRE independently assigns new CVEs for already-disclosed 
vulnerabilities, and the Assigned date reflects when we created those 
CVEs.  In this case, the Assigned date can be AFTER the original 
disclosure date.

We do not publish any dates related to disclosure, patch, or vendor 
notification; interested parties can consult other databases that 
explicitly track this information, such as OSVDB.

- Steve


On Mon, 23 Jan 2012, Solar Designer wrote:

> Hi,
>
> It appears that many people are confused by and concerned about the
> "Assigned" dates on CVE ids, not being aware that these dates often (or
> even all the time?) merely reflect the assignment of a CVE id pool to a
> CNA, normally before the actual vulnerabilities are discovered.
>
> For example, CVE-2012-0056 shows "Assigned (20111207)" - so someone
> wrongly thought that this meant that kernel developers or whoever sat on
> this bug for 1.5 months.
>
> I think cve.mitre.org web pages need to provide an explanation right
> next to these dates or not show the dates.
>
> Alexander
>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.