Re: cve-assign delays

[Kurt Seifried <kseifried () redhat com>]

On 03/19/2015 01:18 PM, Steven M. Christey wrote:
> We recognize that some requesters have experienced delays, and
> sometimes lengthy delays, in getting CVE IDs assigned. We apologize
> for those delays.
>
> The number of cve-assign requests has been growing dramatically, as
> has the number of unique and new requesters. Our goal is always to
> provide reasonable response times, and we were caught by the spike in
> requests.

Volume is definitely a problem, and only going to get worse.

> We are working to improve our responsiveness through a combination of
> process changes, improved communications, and staffing shifts.
>
> We appreciate your understanding and expect that you will see positive
> changes in the cve-assign response times over the coming weeks.
>
> Best regards,
> Steve Christey Coley

Has any consideration been given to maybe going with "Second class"
CVEs? For example in a case where a security issue is obvious (a PHP app
with XSS due to missing htmlspecialchars for example) and well
documented (link to a github commit or similar) could Mitre just assigns
the CVE, link it to the gihub commit or whatever the original source is
and it never give it a "real" description? Most of these types of issues
just need CVEs and an entry in the database with the source, I don't
think anyone cares much beyond that.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature