Date: Wed, 8 Nov 2023 12:46:13 -0800 From: Jean Luc Picard <atari2600a@...il.com> To: oss-security@...ts.openwall.com Subject: Re: !CVE: A new platform to track security issues not acknowledged by vendors I have a number of natsec-ey google reports that went nowhere didnt't get credit or a dime out of it. Most are nullified by the current state of affairs struck by xAI (ie how to cook crack) but others I still feel should be looked at by the greater community. Is this the apprapriate aggregate platform now? On Wed, Nov 8, 2023, 12:35 David A. Wheeler <dwheeler@...eeler.com> wrote: > > > On Nov 8, 2023, at 12:52 PM, Vegard Nossum <vegard.nossum@...cle.com> > wrote: > > > > I am not a lawyer, but I'd assume you would run into some issues with > > the naming of all this -- wasn't that the exact issue that somebody else > > ran into when they tried to assign identifiers to bugs that MITRE > > wouldn't acknowledge? Here's what they said back then: > > > > < > https://cve.mitre.org/news/archives/2021/news.html#April022021_Message_to_DWF_from_the_CVE_Board > > > > > > I somehow doubt the presence of the ! makes much of a difference. > > The problem in that case wasn't that someone else used "XYZ-" format ID. > Bugtraq did that before, > and many others do it today. The problem was that the group labeled some > non-CVEs as "CVE-...", which > is confusing and probably violates trademarks. > > The "!CVE" group isn't using "CVE", they're using "!CVE". The question is, > is that distinct enough, or will typical users be confused by it? > I don't know the answer to that. However, I do worry that perhaps > "!CVE" is not distinct enough. > > I would *strongly* recommend that this group use "NotCVE" or "NCVE" > instead of "!CVE". > That would be more clearly distinct, and they already call themselves that. > I'll also note that searching for "!CVE" and storing that prefix will also > cause some problems. > > This gets into trademark law. I'm not a lawyer. However, I do talk to them > :-). Trademark law doesn't > prevent you from *doing* an action, it just prevents certain kinds of > confusing *names* because > it's helpful when names mean things. As long as the name/image/whatever is > clearly distinct > there's no problem. So where possible, please use clearly distinct names > for distinct things. > I think that's a good practice even when it's *not* legally required. > > --- David A. Wheeler > >
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.