Date: Mon, 7 Mar 2016 18:31:22 -0700 From: distributed weaknessfiling <distributedweaknessfiling@...il.com> To: oss-security@...ts.openwall.com Subject: Distributed Weakness Filing (DWF) System So in the interests of full disclosure and transparency I (Kurt Seifried) am writing this email as an individual and member of the DWF System, and not as an employee of Red Hat. Please note that although I have a day job at Red Hat I also (like many information security people) work on other projects in my personal life, either because they are not work related, or because it's simply not appropriate to work on the project as part of my day job (in this case it's less about Red Hat, and more about the fact that as a Red Hat Employee I am a member of the CVE Editorial Board). I have increasingly noticed problems with Mitre's handling of the CVE database. This has come to a head now that I have multiple, confirmed, public reports of security researchers being unable to get CVE numbers assigned to them in a timely manner, if at all. As such the solution is simple: We need a distributed, scale out method for assigning vulnerability identifiers that is as compatible with the existing CVE system as possible. Not just in terms of format but in terms of process and usage. As such I took on the task, creating the DWF system and getting a number of other people involved (Larry Cashdollar, Zachary Wikholm, Josh Bressers, etc.). My goal is to create a simple system for assigning vulnerability identifiers that relies on the community and not a single entity or organization. Additionally I want to reduce the time and effort needed to get identifiers, something best achieved by pushing assigning out to as close to the vulnerability discover/handling as possible. With this in mind we have created a system that has several main components: 1) Documentation and Guidelines for how this whole thing works ( https://github.com/distributedweaknessfiling/DWF-Documentation/) 2) DWF Numbering authorities that can self assign DWF numbers, or assign on behalf of people that need DWF numbers but are not a numbering authority ( https://github.com/distributedweaknessfiling/DNA-Registry) 3) A database of DWF entries ( https://github.com/distributedweaknessfiling/DWF-Database) 4) A database of artifacts, files and related files for DWF entries (so that when websites disappear the required content is hopefully still available) ( https://github.com/distributedweaknessfiling/DWF-Database-Artifacts) There are 4 primary ways to get a DWF identifier: 1) If you already have a CVE identifier you can map it directly to DWF, e.g. CVE-2000-1234 maps directly to DWF-2000-1234. 2) If you are a DWF Numbering Authority (DNA) ( https://github.com/distributedweaknessfiling/DNA-Registry) you can self assign a DWF to the issue(s). 3) You can request a DWF from a DNA, this is ideal if the DNA is associated with the flawed software, or the DNA will assist in the handling of the security vulnerability. 4) You can request a DWF directly either via PULL request in GitHUB to the DWF Database (https://github.com/distributedweaknessfiling/DWF-Database) or by emailing us at distributedweaknessfiling@...il.com. Please note that the DWF would be happy to work with any and all entities (including Mitre!) with respect to making DWF better, or helping integrate the efforts of others. https://distributedweaknessfiling.org -Kurt Seifried
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.