Date: Fri, 2 Nov 2012 14:49:54 -0400 (EDT) From: cve-assign@...re.org To: bressers@...hat.com Cc: oss-security@...ts.openwall.com, cve-assign@...re.org Subject: Re: Strange CVE situation (at least one ID should come of this) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >So if someone publishes an advisory stating "I have found a number of >security flaws in product X." Would that get the same sort of CVE ID? CVE assignment at MITRE attempts to distinguish between "disclosures" and "rumors" although admittedly this is not 100% successful. In the specific case you mentioned, if there's no maintainer relationship between "I" and "product X" and no other available context, then no CVE is assigned. More generally, there are various cases in which exactly the same statement would have a different CVE assignment decision depending on whether the statement came from a vendor or other software maintainer. This has been mentioned here before; for example, see http://openwall.com/lists/oss-security/2011/12/30/4 - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (SunOS) iQEcBAEBAgAGBQJQlBRTAAoJEGvefgSNfHMdKAwH/icGoCMaheqgi4cQG4XsChlb EaRDQLeN9XhaBp1pk7G+rnKaBNUBf25cVKKkTl8eJ/Y7zkP7eCU8G4aW5tjSBapw wNRErtss6mGQjOUt0QtWw9RmbMPR/u9r3ulQvsi1Py2Zp9XSjloiAUrXcgumjdmQ C/1SLGLRLNXPWOzhQvl8uPWCZLgoqhFX46/Knf61UX+Z62hwD7USDfE47MHdSj4b C4SecVWSAUwWnlfSr94cV9bRWUdZ0JvR2+KtjytKA4wTXjeZXsi7FPvnY0TBCmU8 lE2gGZEzgzLbDcQqZU2Pk+WiH0jDSp8DmtxhCN/zV9ZvZAyaoBwE9BePBIofo0Q= =3WP8 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.