Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 7 Mar 2016 18:31:22 -0700
From: distributed weaknessfiling <>
Subject: Distributed Weakness Filing (DWF) System

So in the interests of full disclosure and transparency I (Kurt Seifried)
am writing this email as an individual and member of the DWF System, and
not as an employee of Red Hat. Please note that although I have a day job
at Red Hat I also (like many information security people) work on other
projects in my personal life, either because they are not work related, or
because it's simply not appropriate to work on the project as part of my
day job (in this case it's less about Red Hat, and more about the fact that
as a Red Hat Employee I am a member of the CVE Editorial Board).

I have increasingly noticed problems with Mitre's handling of the CVE
database. This has come to a head now that I have multiple, confirmed,
public reports of security researchers being unable to get CVE numbers
assigned to them in a timely manner, if at all. As such the solution is

We need a distributed, scale out method for assigning vulnerability
identifiers that is as compatible with the existing CVE system as possible.
Not just in terms of format but in terms of process and usage. As such I
took on the task, creating the DWF system and getting a number of other
people involved (Larry Cashdollar, Zachary Wikholm, Josh Bressers, etc.).
My goal is to create a simple system for assigning vulnerability
identifiers that relies on the community and not a single entity or
organization. Additionally I want to reduce the time and effort needed to
get identifiers, something best achieved by pushing assigning out to as
close to the vulnerability discover/handling as possible.

With this in mind we have created a system that has several main components:

1) Documentation and Guidelines for how this whole thing works (

2) DWF Numbering authorities that can self assign DWF numbers, or assign on
behalf of people that need DWF numbers but are not a numbering authority (

3) A database of DWF entries (

4) A database of artifacts, files and related files for DWF entries (so
that when websites disappear the required content is hopefully still
available) (

There are 4 primary ways to get a DWF identifier:

1) If you already have a CVE identifier you can map it directly to DWF,
e.g. CVE-2000-1234 maps directly to DWF-2000-1234.

2) If you are a DWF Numbering Authority (DNA) ( you can self
assign a DWF to the issue(s).

3) You can request a DWF from a DNA, this is ideal if the DNA is associated
with the flawed software, or the DNA will assist in the handling of the
security vulnerability.

4) You can request a DWF directly either via PULL request in GitHUB to the
DWF Database ( or
by emailing us at
Please note that the DWF would be happy to work with any and all entities
(including Mitre!) with respect to making DWF better, or helping integrate
the efforts of others.

-Kurt Seifried

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.