Re: CVE Requests

[Kurt Seifried <kseifried () redhat com>]

On 03/16/2012 12:30 PM, Mark Stanislav wrote:
> Is "VS@" supposed to be vendor-sec; the defunct list? Or is there
> another list I am not aware of? If so, can you please give me the *full*
> address? Thanks.

Sorry it is: http://oss-security.openwall.org/wiki/mailing-lists/distros

> I'd say you may want to coordinate that documentation with Steve Christy
> as the nine times he allocated CVEs for me directly, this sort of
> conversation never came up. I can understand frustration on your part
> that people may not be educated, but realize that if CNAs handle this
> process differently, it may not be a matter of education on how 'the
> system works' but rather consistency within the entire process, agnostic
> of whom is allocating a CVE.

We're working on it.

> I again, do appreciate your time but I suppose I'll just wait for Steve
> or whomever is manning cve@mitre to contact me back.

I'm simply loathe to assign CVE's for which I get no details from a
third party especially when they have sent requests in to Mitre already.
How do I know if Mitre has or has not assigned a CVE yet? We basically
end up with a race condition (and duplicates).


> Best,
>
> -Mark



-- 
Kurt Seifried Red Hat Security Response Team (SRT)