oss-sec mailing list archives
Re: MITRE is adding data intake to its CVE ID process
From: Jeremy Stanley <jeremy () openstack org>
Date: Thu, 9 Feb 2017 14:26:01 +0000
On 2017-02-09 09:10:23 +0000 (+0000), Simon McVittie wrote: [...]
The CVE form requires specifying a vendor on the "products and sources list". I'm sure this works fine for proprietary software, where everyone obtains Microsoft Office from Microsoft. For open source it seems impractical: for instance, I'm a maintainer of both D-Bus and ikiwiki, neither of which has any particular allegiance to any larger legal entity than the individual maintainers.
[...] Agreed, having tried to figure out the form it seems geared toward requesting CVE IDs for vulnerabilities you've found in someone else's software, and not for maintainers of software to request CVE IDs for vulnerabilities which have been disclosed to them. The little detail callout icons for the vendor and product fields link to the CNA coverage list[0] which in turn instructs, "For open source software products not listed below, request a CVE ID through the Distributed Weakness Filing Project[1] CNA." So I guess that's what our project will be using in the future, or maybe just stop bothering to obtain CVEs on our own and let the various downstream redistributors of our software who are themselves CNAs issue them as needed and then fight over whose is the correct one. [0] http://cve.mitre.org/cve/request_id.html#cna_coverage [1] https://docs.google.com/forms/d/e/1FAIpQLSeiY7ldJAx-fjU6eSnXDaX5TB--L1ujCQpmGAKnqBSJOcBShw/viewform -- Jeremy Stanley
Attachment:
signature.asc
Description: Digital signature
Current thread:
- MITRE is adding data intake to its CVE ID process cve-assign (Feb 08)
- Re: MITRE is adding data intake to its CVE ID process P J P (Feb 08)
- Re: MITRE is adding data intake to its CVE ID process Simon McVittie (Feb 09)
- Re: MITRE is adding data intake to its CVE ID process Jeremy Stanley (Feb 09)
- Re: MITRE is adding data intake to its CVE ID process Peter Bex (Feb 09)
- Re: MITRE is adding data intake to its CVE ID process Steven R. Loomis (Feb 09)
- Re: MITRE is adding data intake to its CVE ID process Amos Jeffries (Feb 09)
- Re: MITRE is adding data intake to its CVE ID process Jeremy Stanley (Feb 09)
- Re: MITRE is adding data intake to its CVE ID process John Haxby (Feb 10)
- Re: MITRE is adding data intake to its CVE ID process Stiepan (Feb 10)
- Re: MITRE is adding data intake to its CVE ID process Simon McVittie (Feb 10)
- Re: MITRE is adding data intake to its CVE ID process Pierre Schweitzer (Feb 10)
- Re: MITRE is adding data intake to its CVE ID process Moritz Muehlenhoff (Feb 11)
- Re: MITRE is adding data intake to its CVE ID process Bob Friesenhahn (Feb 11)