oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: MITRE is adding data intake to its CVE ID process

From: Amos Jeffries <squid3 () treenet co nz>
Date: Fri, 10 Feb 2017 08:23:18 +1300
On 10/02/2017 5:07 a.m., Steven R. Loomis wrote:

On 2/9/17 6:54 AM, Peter Bex wrote:

In an ideal world, free software project leaders should be
able to request a CVE ID _before_ announcing a vulnerability to their
user base.  If there were some way to register people as project leaders,
the "proof" should not be necessary, they should be able to request a
CVE ID with authority.

Peter,
 I actually wondered about this very thing, if it was possible to
request an ID before the details were fully available. From your note,
it sounds like this is not the case currently.

Steven



I used to request CVE with a brief description suitable for the CVE
record and reference URL(s) eg. where the upstream advisory was going to
be located. Nowdays someone at mitre seems to be waiting for the URL to
go public before assignment :-(.

AYJ

Attachment: signature.asc
Description: OpenPGP digital signature

Previous By Date Next
Previous By Thread Next

Current thread: