Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 9 Feb 2017 14:26:01 +0000
From: Jeremy Stanley <>
Subject: Re: MITRE is adding data intake to its CVE ID process

On 2017-02-09 09:10:23 +0000 (+0000), Simon McVittie wrote:
> The CVE form requires specifying a vendor on the "products and
> sources list". I'm sure this works fine for proprietary software,
> where everyone obtains Microsoft Office from Microsoft. For open
> source it seems impractical: for instance, I'm a maintainer of both
> D-Bus and ikiwiki, neither of which has any particular allegiance
> to any larger legal entity than the individual maintainers.

Agreed, having tried to figure out the form it seems geared toward
requesting CVE IDs for vulnerabilities you've found in someone
else's software, and not for maintainers of software to request CVE
IDs for vulnerabilities which have been disclosed to them. The
little detail callout icons for the vendor and product fields link
to the CNA coverage list[0] which in turn instructs, "For open
source software products not listed below, request a CVE ID through
the Distributed Weakness Filing Project[1] CNA." So I guess that's
what our project will be using in the future, or maybe just stop
bothering to obtain CVEs on our own and let the various downstream
redistributors of our software who are themselves CNAs issue them as
needed and then fight over whose is the correct one.

Jeremy Stanley

Download attachment "signature.asc" of type "application/pgp-signature" (950 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.