Full Disclosure mailing list archives
Re: CERT, Full Disclosure, and Security By Obscurity
From: "Steven M. Christey" <coley () linus mitre org>
Date: Fri, 31 Jan 2003 18:39:00 -0500 (EST)
Georgi Guninski said:
Recently when I notified some vendors about a vulnerability, I wrote something like a license agreement that the info should not be disclosed to m$, cert, mitre, sf and others.
Just to clarify some possible misconceptions about how we use incoming vulnerability information for CVE: 1) MITRE is a not-for-profit organization. The CVE project does not sell vulnerability information to anyone. Funding for the CVE project is exclusively from US government organizations, primarily the General Services Administration (GSA). 2) When someone requests a CVE candidate from MITRE for an issue that has not been published, the CVE team does not redistribute that information to anybody else, including our sponsors and others within MITRE. 3) Some major vendors and other organizations have the ability to assign CVE candidate numbers themselves without notifying MITRE of the related vulnerabilities. These Candidate Naming Authorities (CNAs) are provided with empty "pools" of candidates. For CNA-assigned candidates, MITRE learns of these vulnerabilities at the same time as everyone else, i.e. when they are published. The caveat is that CNAs must understand CVE's rules for assigning the proper number of identifiers, so there is a period of informal "training" before a CNA can reserve pools of candidates. Also, there is a greater likelihood of mistakes occurring, but this does not happen too frequently. 4) For researchers who want to acquire candidates from us before publishing, we strongly recommend that they follow "responsible disclosure practices," for some definition of "responsible." This is NOT an attempt to use CVE to impose the disclosure draft on other parties. Rather, it is a technical decision. We have found that the accuracy of CVE is directly affected by disclosure practices. For example, one of the primary causes of duplicate identifiers is the lack of coordination between researchers and vendors. We also have to do a lot of extra work to resolve inconsistencies between researcher and vendor reports. The number and scope of inconsistencies tends to be larger when the disclosure was not coordinated. This informal policy for CVE had been in use for about 2 years before the disclosure draft was released. A more formal disclosure policy for CVE is in the works, but hopefully the above comments will clarify things a little. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: CERT, Full Disclosure, and Security By Obscurity Steven M. Christey (Jan 31)
- <Possible follow-ups>
- Re: CERT, Full Disclosure, and Security By Obscurity Steffen Dettmer (Feb 01)