Date: Tue, 14 Apr 2015 03:20:59 -0400 (EDT) From: cve-assign@...re.org To: solar@...nwall.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: discourage "CVE only" use of (linux-)distros -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > if MITRE can assign them without obtaining detail If the person is already very familiar with what types of issues are included in CVE, and what requests should go to MITRE rather than to the vendor, then we are usually most concerned with counting vulnerabilities. In other words, minimum information for a report about one open-source product could be: - is part of the report about a vulnerability affecting one version, and another part of the report about a vulnerability affecting a different version? - is part of the report about a vulnerability that became public at one point in time, and another part of the report about a vulnerability that became public at a different point in time, such that customers may realistically have an installation that already has a fix for only the first part? - is part of the report about a vulnerability discovered by one person/organization, and another part of the report about a vulnerability discovered by a different person/organization? - is there any reasonable interpretation that part of the report is about one "vulnerability type" and another part of the report is about a different "vulnerability type"? (We know that there is no possible definition of "vulnerability type" that makes sense for every conceivable security-research effort that may be occurring now or in the future.) "already very familiar" isn't the common case, though. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVLL9UAAoJEKllVAevmvmssGMH/iWs83qn0iLz8nV4UgsAiAhG LwflwpEO26x5bFKkSECcfi55JPZKnN4z/4+wfFakENesLeNTEu9blb6rEJcl6KbG o/R7TUE+uA/w8VXN91U8v5E04EQXgGuSaAFs+Zn8OwpSE2NHlmxZAQVGBFR6klSi nSnTFDGj9fkh6BUsB6yE2j9QDtw2S/TTwGYnjnoEWDXCEMQCwpKJBwbv+031CiME 09n6D7puQQ6vNv3ycYvvckUNIfEAU12hF+bxRf+6niQhpve551cccrOQZ/CdFYG8 RxMRmP5B7P5494DyyuMBFPmxRMTfo815SY5AadWhp05Y21r+pMePGPMzeuDjUpA= =L6eh -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.