Date: Tue, 23 May 2017 08:43:25 -0600 From: Kurt Seifried <kseifried@...hat.com> To: "Perry E. Metzger" <perry@...rmont.com> Cc: oss-security@...ts.openwall.com Subject: Re: How to request a CVE for open source projects On 2017-05-22 8:28 PM, Perry E. Metzger wrote: > On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried > <kseifried@...hat.com> wrote: >>> Primarily, freeform discussion of the sort that occurred on this >>> list as a natural outcropping of the CVE request process led to >>> people linking to verification code, temporary mitigations, >>> highlighting of incomplete fixes, and the sort of information >>> that was requested earlier in this thread. This ability to >>> easily chip in to ongoing situations wasn't just useful for mitre >>> staff doing CVE work, it was also useful for the "community of >>> practice" looking for the latest information regarding >>> self-defense. I've prevented more than one attack thanks to a >>> one-off reply from someone in response to a CVE request. >> You can still do this. oss-security is a list run by Solar Designer >> (openwall.com). I happen to be a long time poster/moderator, but I >> have no official control/etc (I don't even block posts, that's up >> to solar, I just allow stuff or ignore it when it's up for >> moderation). > Maybe after CVEs are assigned the forms could be emailed to the list > as a replacement for the old request emails, to kick off > discussion and alert people to their existence? > > Perry The primary goals of the DWF are: 1) Creating CVE Mentors that can do CVE assignments, train other CVE Mentors, and help create CNAs 2) Creating CNAs for OpenSource so CVE assignments happen as close to the vulnerability as possible 3) "retail" CVE assignments (e.g. people using iwantacve.org) 4) Publishing that data to MITRE quickly as per the CNA guidelines, and the community in general (so at a minimum you can just monitor github, there may be more options moving forwards) And that's basically it. If people want to monitor the CVEs the DWF assigns and run a git to email gateway essentially they are welcome to assuming they get Solar's approval (it's his list so his rules), but it's out of scope for the DWF at this point. If people want the cat to have a nice bell they may have to step up and actually put a bell on the cat. -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: secalert@...hat.com
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.