Date: Fri, 4 Mar 2016 17:45:40 -0800 From: "Zach W." <kestrel@...linux.us> To: oss-security@...ts.openwall.com Cc: Art Manion <amanion@...t.org>, Kurt Seifried <kseifried@...hat.com>, cve-editorial-board-list <cve-editorial-board-list@...ts.mitre.org> Subject: Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies I agree. I've been in the same boat as Hanno. In one case, I even sent a request to both oss-sec and cve-assign about an open source platform called OSMC, and got a response off-list that was just like the one seen in Kurt's original email. I asked for clarification and for them to address both me and the list and I never got a response. That was over a month ago. I'm sure Hanno and I are not the only ones. Thank you Kurt for bringing this up. Zach W. On 3/4/2016 4:07 PM, Tim wrote: >> The level of frustration in the research community has been growing, >> with steady calls for a new CVE-like solution that is designed to >> address these needs in a more effective way. I greatly appreciate the >> work that has been done, but at this point CVE is becoming less >> useful, less relevant - if this isn't addressed, my expectation is >> that a CVE-like solution will be adopted by the community, and >> researchers will begin moving away from requesting CVEs. > > The CVE system is clearly breaking down. > > I think we need a system that is less moderated and more content > driven. I imagine a simple site, which looks like a stripped-down bug > tracker. Let's suppose it acts like this: > > * Any researcher can post "claims" about vulnerabilities. This > assigns an identifier immediately. > > * Claims about vulnerabilities may be reviewed, eventually, by an > authority whose job it is to be sure the claim is associated > properly with a real product/version and that the product owners are > notified through an automated process (e.g. "security@..."). > > * Product owners can respond to claims, which will appear along side > the claim. Links to patches or refutations can be included. > > * No moderation required. Let the public decide if they believe the > researcher or vendor. If a moderator does bother to look over the > content, they could deduplicate/link issues together and address any > confusion, but beyond that, it isn't their job to decide what is a > vulnerability and what isn't. > > * All information posted in this system exists publicly forever. > Links to external content (that isn't well represented in the > posting) are frowned upon, since the Internet Archive clearly can't > keep up with everything. We need an archive that doesn't go away. > > > Ok, beat it up. > > tim
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.