oss-sec mailing list archives

Re: !CVE: A new platform to track security issues not acknowledged by vendors

From: !CVE Team <contact () notcve org>
Date: Fri, 10 Nov 2023 13:31:56 +0100

Hello Mike,

Thank you for sharing you views.

On 09/11/2023 18:44, Mike O'Connor wrote:

!CVE Team,

 From an open source perspective, the CNA(s) who might be assigning

CVEs might not be a "vendor".

The !CVE project is not a static project where everything is defined thevery first day but an evolving project where all feedback is consideredto move towards improving the cybersecurity community.

We don't want to repeat what is already published in thehttps://notcve.org site, just would like to share with you that as youcan read in the FAQ https://notcve.org/faq.html the !CVE is not onlyconsidering "vendors" but other situations. Those are examples but weplan to adapt according to the needs that arise, so in the futuredifferent situations could qualify for a NotCVE.



As just one example, the GitHub CNA

assigns tons of CVEs for open source software using GitHub's Security
Advisories, but I wouldn't think of GitHub as a "vendor" for all the
projects they host.  How do you deal with CNAs who might be fine with

assigning a CVE, but tagging it as DISPUTED?

This is easy, if there is a CVE assigned to an issue, no NotCVE will beassigned, independently of the status/tagging. If finally a CVE is notassigned then it may qualify for a NotCVE.

Perhaps they don't want
to build deprecated decades-old code to scope out the severity of a
buffer overflow some random fuzzbot found.  How would !CVE work for
the Linux kernel, where most security fixes have git commit hashes but
not CVEs?  You don't seem resourced for that.

!CVE project is not looking after security issues but it is a platformfor unacknowledged security issues. We are processing NotCVE requestsfollowing a procedure and assigning NotCVEs if they qualify, and forthat we don't have any resource problem.


Overall, it seems like the prbolem you're trying to solve is "I'm not
getting my unique tag from CVEs CNAs for my vulnerability".  Your fix
is "some other unique tag mechanism for vulnerabilities".  I think I
see where this might be going:

https://xkcd.com/927/

At first glance it may seem like that, but if you look closer you wouldrealize that the case is different. !CVE project is tracking,identifying and sharing security issues that otherwise would be randomlypublished in blog posts, Twitter, etc, (in the best case) or just lost.To obtain a NotCVE is not relevant whether someone is gettingdifficulties to obtain a CVE for their vulnerability or not. To get aNotCVE the issue must qualify. Please read the FAQ and if you findsomething needs to be clarified or areas that overlaps, we will be happyto update the project scope to clearly differentiate it from CVE.

Have you considered, I dunno, working with the CVE folks, addressing
what CNA rules you think may be broken?  Not all vulnerabilties are
created equal, and it may make sense to create more alternate systems
to deal with that.  But, forking off on your own should be done with
some due diligence.  The last thing the security community needsi are
even more fractured efforts, as they deal with enough fractured stuff.


My $0.02, FWIW...
-Mike

This is not something new or unknown by MITRE or vendors. In some casesMITRE is in favor of assigning a CVE but the vendor is against. In thosecases MITRE can do nothing and by experience we can tell you that at theend CVE will not be assigned. Note that "the security issue" cannot beeven named ""vulnerability" because it is not (vendor is the only onewith this authority) according to MITRE rules[1]. If something is not a"vulnerability" there is nothing to patch, nothing to track, etc. Sincethose issues go unnoticed, they should be looked at even more cautiouslysince they are probably not going to be fixed. Therefore !CVE platformis far from a fork but it divulges security issues that otherwise willremain hidden for most of us while recognizing the security researcherseffort by giving to them the deserved credit.

Again, thank you all for raising those questions, they help us improveand better share the mission of the !CVE project.



Kind Regards,
!CVE Team


[1] https://cve.mitre.org/cve/cna/CNA_Rules_v3.0.pdf

Current thread:

Re: !CVE: A new platform to track security issues not acknowledged by vendors Mike O'Connor (Nov 10)
- Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team (Nov 10)
- <Possible follow-ups>
- Re: !CVE: A new platform to track security issues not acknowledged by vendors !CVE Team (Nov 10)