Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Thu, 23 Jul 2020 13:56:45 +0200
From: Solar Designer <solar@...nwall.com>
To: oss-security@...ts.openwall.com
Subject: Re: Contributing Back

On Thu, Jul 23, 2020 at 01:51:17PM +0530, Mohammad Tausif Siddiqui wrote:
> I think the ball is on the CNA: Hackerone side to get it published to
> MITRE, so that they can show it up on their page.
> 
> CNAs are provided with weekly reports by the root CNA: MITRE, which lists
> Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whether
> the CVE was assigned on distros list or elsewhere. That closes the reminder
> loop.
> 
> There's no pull request for CVE-2020-8177 at
> https://github.com/CVEProject/cvelist/pulls
> We cannot determine if they used the alternative, web form:
> https://cveform.mitre.org/
> 
> You may want to reach Hackerone from the CNA contacts
> <https://cve.mitre.org/cve/request_id.html#cna_participants>, for this
> exception of delay.

Most of the above is once again too specific to the given CVE ID,
whereas we need a general understanding of whether the task Xiao
proposes and volunteers for is worthwhile or not.  I'd appreciate a
direct answer to that.

Do I interpret this paragraph correctly as implying the answer is no? -

> CNAs are provided with weekly reports by the root CNA: MITRE, which lists
> Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whether
> the CVE was assigned on distros list or elsewhere. That closes the reminder
> loop.

In other words, CNAs receive their reminders from MITRE weekly, so
there's no need for anyone else reminding them, correct?  However, can
it happen that MITRE wouldn't recognize a CVE ID as "Reserved But
Public", continuing to treat it as merely reserved, in which case there
would be no reminder to correct that?  Could Xiao help with this?

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.