再保险:关于CVE作业oss-sec邮件列表

结婚,2015年11月25日,Kurt Seifried写道::所以就在此前一天。我分配一个的原因是:请求明确表示,他们需要在24小时内,以前问过的有:斜方(9天前)。此外CVE请求是:有说,这是向我指出,我不应该指定一个::“提醒一下,目前还没有协议之间的地方:横切CVE团队和Red Hat,让红色帽子分配一个CVE ID:公开报告。”::I don't actually know who sent that email as it came from the generic : cve-assign@ address and was simply signed "CVE assignment team, MITRE : CVE Numbering Authority" but I assume it's legitimate (in the sense that : it's the official MITRE view). This is a very important topic right now, and this reply is disturbing. I have pointed out at least once, maybe a few times, on this list that the CVE assignment process is very behind. Today, I received a BCC on mail from a security company to CVE asking why assignments were so far behind. Others have pointed out on Twitter that there are significant delays in CVE requests; this is a very publicly known issue. I can personally attest to this, as a request for a CVE ID I made to cve-assign@mitre.org on 8/20/2015 has *not been answered*. This is very concerning, as a request I made on 11/20/2015 not only received a response one day later, but contained what I half-jokingly referred to as "CVE assignment masturbation" off-list to CVE staff in the past months. More importantly? My request on 8/20 was about the most simple, straight-forward request one can make. "One 2015 ID for a reflected XSS" from a trusted organization, made by someone intimately familiar with the CVE process. The request on 11/20 was about the most convoluted request CVE could received, except that same person prefaced it with their understanding of CVE assignment/abstraction, in addition to being involved in the disclosure. That one received an outstanding breakdown of the decision to assign a new ID (as I figured), and extensive explanation as to why they agreed. Consider that. Why is the same person waiting 3 months for an assignment given those two radically different requests, where the assignments seem backwards. This should be a critical issue to the board, as this is alienating companies that have declared themselves "CVE compatible". Why should any company strive to obtain a CVE when they are waiting months for an assignment, while the super-CNA (RedHat) can dish them out to meet short deadlines? Worse, why is RedHat called out and told NOT to assign, when CVE is clearly not prepared to meet those deadlines and offer assignments as needed? If CVE fails to provide IDs on a few issues, after three months, I will personally lobby my company to publish advisories without an assignment, and make it very clear that it was done because CVE chose not to assign. It isn't fair that CVE holds up the coordinated disclosure process in cases where the requesting party and vendor are not CNAs themselves. Given that I suggested CVE expand the CNA body a while back, and that appears to have fell on deaf ears, there is no excuse for MITRE at this point. : from MITRE, nothing happens, they then ask publicly, nothing happens). I'm : willing to back fill CVE assignments on oss-security, but that would leave Why? Unless it is in the purview of your current assignments, given CVE's reply today, you should not look to backfill. That is on MITRE to do so, unless they specifically task you to. If they task you to, that should be done in a public forum (OSS-sec, or the board list), with an explanation of why they are relying on RedHat to provide assignments. .b