Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 8 Nov 2023 15:33:35 -0500
From: "David A. Wheeler" <dwheeler@...eeler.com>
To: oss-security@...ts.openwall.com,
 contact@...cve.org
Subject: Re: !CVE: A new platform to track security issues not
 acknowledged by vendors


> On Nov 8, 2023, at 12:52 PM, Vegard Nossum <vegard.nossum@...cle.com> wrote:
> 
> I am not a lawyer, but I'd assume you would run into some issues with
> the naming of all this -- wasn't that the exact issue that somebody else
> ran into when they tried to assign identifiers to bugs that MITRE
> wouldn't acknowledge? Here's what they said back then:
> 
> <https://cve.mitre.org/news/archives/2021/news.html#April022021_Message_to_DWF_from_the_CVE_Board>
> 
> I somehow doubt the presence of the ! makes much of a difference.

The problem in that case wasn't that someone else used "XYZ-" format ID. Bugtraq did that before,
and many others do it today. The problem was that the group labeled some non-CVEs as "CVE-...", which
is confusing and probably violates trademarks.

The "!CVE" group isn't using "CVE", they're using "!CVE". The question is,
is that distinct enough, or will typical users be confused by it?
I don't know the answer to that. However, I do worry that perhaps
"!CVE" is not distinct enough.

I would *strongly* recommend that this group use "NotCVE" or "NCVE" instead of "!CVE".
That would be more clearly distinct, and they already call themselves that.
I'll also note that searching for "!CVE" and storing that prefix will also cause some problems.

This gets into trademark law. I'm not a lawyer. However, I do talk to them :-). Trademark law doesn't
prevent you from *doing* an action, it just prevents certain kinds of confusing *names* because
it's helpful when names mean things. As long as the name/image/whatever is clearly distinct
there's no problem. So where possible, please use clearly distinct names for distinct things.
I think that's a good practice even when it's *not* legally required.

--- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.