Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 8 Nov 2023 12:46:13 -0800
From: Jean Luc Picard <>
Subject: Re: !CVE: A new platform to track security issues not
 acknowledged by vendors

I have a number of natsec-ey google reports that went nowhere didnt't get
credit or a dime out of it.  Most are nullified by the current state of
affairs struck by xAI (ie how to cook crack) but others I still feel should
be looked at by the greater community.  Is this the apprapriate aggregate
platform now?

On Wed, Nov 8, 2023, 12:35 David A. Wheeler <> wrote:

> > On Nov 8, 2023, at 12:52 PM, Vegard Nossum <>
> wrote:
> >
> > I am not a lawyer, but I'd assume you would run into some issues with
> > the naming of all this -- wasn't that the exact issue that somebody else
> > ran into when they tried to assign identifiers to bugs that MITRE
> > wouldn't acknowledge? Here's what they said back then:
> >
> > <
> >
> >
> > I somehow doubt the presence of the ! makes much of a difference.
> The problem in that case wasn't that someone else used "XYZ-" format ID.
> Bugtraq did that before,
> and many others do it today. The problem was that the group labeled some
> non-CVEs as "CVE-...", which
> is confusing and probably violates trademarks.
> The "!CVE" group isn't using "CVE", they're using "!CVE". The question is,
> is that distinct enough, or will typical users be confused by it?
> I don't know the answer to that. However, I do worry that perhaps
> "!CVE" is not distinct enough.
> I would *strongly* recommend that this group use "NotCVE" or "NCVE"
> instead of "!CVE".
> That would be more clearly distinct, and they already call themselves that.
> I'll also note that searching for "!CVE" and storing that prefix will also
> cause some problems.
> This gets into trademark law. I'm not a lawyer. However, I do talk to them
> :-). Trademark law doesn't
> prevent you from *doing* an action, it just prevents certain kinds of
> confusing *names* because
> it's helpful when names mean things. As long as the name/image/whatever is
> clearly distinct
> there's no problem. So where possible, please use clearly distinct names
> for distinct things.
> I think that's a good practice even when it's *not* legally required.
> --- David A. Wheeler

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.