再保险:关于CVE作业oss-sec邮件列表

太阳,2015年11月29日,威廉姆斯,肯写道:[…]:>If CVE fails to provide IDs on a few issues, after three months, I will : > personally lobby my company to publish advisories without an assignment, : > and make it very clear that it was done because CVE chose not to assign. : > It isn't fair that CVE holds up the coordinated disclosure process in : > cases where the requesting party and vendor are not CNAs themselves. Given : > that I suggested CVE expand the CNA body a while back, and that appears to : > have fell on deaf ears, there is no excuse for MITRE at this point. : [...] : : A disclosure process should never be held up by a pending CVE : assignment. Just go ahead and disclose and put "pending CVE assignment" : on the CVE line. Except, that is problematic for issues like Apache Commons. CVE's delay in assigning, or clearly saying how assignments would be handled (e.g. one ID vs one ID per vendor vs one ID per product) led to serious confusion already. IBM started using Oracle's assignment in advisories before CVE finally replied to IBM PSIRT instructing them to use their own. But the damage is done, even with IBM's own ID, some internal divisions are still using Oracle's assignment a week later [1]. This highlights the importance of timely assignments and/or direction from CVE to the CNAs. .b [1]http://www - 01. ibm.com/support/docview.wss?uid=swg1jr54748