Date: Tue, 28 Jul 2020 10:46:22 +0800 From: Zhang Xiao <xiao.zhang@...driver.com> To: oss-security@...ts.openwall.com, Solar Designer <solar@...nwall.com> Cc: xiao.zhang@...driver.com Subject: Re: Contributing Back 在 2020/7/23 下午7:56, Solar Designer 写道: > On Thu, Jul 23, 2020 at 01:51:17PM +0530, Mohammad Tausif Siddiqui wrote: >> I think the ball is on the CNA: Hackerone side to get it published to >> MITRE, so that they can show it up on their page. >> >> CNAs are provided with weekly reports by the root CNA: MITRE, which lists >> Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whether >> the CVE was assigned on distros list or elsewhere. That closes the reminder >> loop. >> >> There's no pull request for CVE-2020-8177 at >> https://github.com/CVEProject/cvelist/pulls >> We cannot determine if they used the alternative, web form: >> https://cveform.mitre.org/ >> >> You may want to reach Hackerone from the CNA contacts >> <https://cve.mitre.org/cve/request_id.html#cna_participants>, for this >> exception of delay. > Most of the above is once again too specific to the given CVE ID, > whereas we need a general understanding of whether the task Xiao > proposes and volunteers for is worthwhile or not. I'd appreciate a > direct answer to that. > > Do I interpret this paragraph correctly as implying the answer is no? - > >> CNAs are provided with weekly reports by the root CNA: MITRE, which lists >> Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whether >> the CVE was assigned on distros list or elsewhere. That closes the reminder >> loop. > In other words, CNAs receive their reminders from MITRE weekly, so > there's no need for anyone else reminding them, correct? However, can > it happen that MITRE wouldn't recognize a CVE ID as "Reserved But > Public", continuing to treat it as merely reserved, in which case there > would be no reminder to correct that? Could Xiao help with this? Till now both CVE-2020-8177 and CVE-2020-8169 are still "reserved". I believe it is valuable to remind them and I am glad to do it, but I just realize I don't know how to make it. I tried two methods but none of them works. Anyone can give me any advises to make it? Thanks Xiao > Alexander Download attachment "pEpkey.asc" of type "application/pgp-keys" (2461 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.