oss-sec mailing list archives
Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies
From: Solar Designer <solar () openwall com>
Date: Sat, 5 Mar 2016 23:53:22 +0300
On Sat, Mar 05, 2016 at 03:25:49PM -0500, Adam Caudill wrote:
I very much like the idea of being able to get an ID instantly - it greatly simplifies an otherwise time consuming process. That said, I can see some issues with OVE: * No Lookup - For a customer, going from OVE to what it represents could be complicated. It depends entirely on the researcher or vendor publishing a reference for that ID.
... or on any third-party doing it. I expect that various existing vulnerability databases will start listing OVE IDs along with other IDs they're currently listing. Whatever IDs are available for an issue. Of course, the information will need to be available to those third-party databases from somewhere - but this can be the researcher's or the vendor's disclosure, as you say. Until such disclosure, a customer would not even be aware of the ID, let alone want to look it up.
* Invalid Entries - As noted, there's no way to see if a given ID is considered valid, and while there is value to just having an ID, this model makes later curation more difficult. With no information behind the ID, there's no opportunity to later expand into a more complete solution.
I think there is such opportunity, it's just possibly more difficult.
Here is what I would like to see:
This sounds similar to what Tim wanted. Feel free to implement that. I think if such a thing appears, there may still be interest in a bare-bones solution, which OVE currently is. I have no current plans to expand OVE into a more complete solution.
* Simple ID Request - Data required should be minimal, though I think a few basic items are needed. Perhaps vendor, product, version(s), title, and contact information.
A drawback is that such requests become somewhat security-sensitive, if for yet unpublished issues. This is already a major concern with CVE, where information may be subject to unjustified risk for the purpose of merely getting an ID assigned. OVE currently side-steps the issue. Alexander
Current thread:
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Zach W. (Mar 04)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies mark (Mar 05)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Larry Cashdollar (Mar 05)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Alan Coopersmith (Mar 06)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 09)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Alan Coopersmith (Mar 09)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 10)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Adam Caudill (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies me (Mar 06)
- CVE Replacement Via Blockchains (was: Concerns about CVE coverage shrinking - direct impact to researchers/companies) Tim (Mar 07)