Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <e1edcfd7-0547-c5c5-004e-fd6ade086b2e@redhat.com>
Date: Tue, 23 May 2017 08:43:25 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: "Perry E. Metzger" <perry@...rmont.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: How to request a CVE for open source projects



On 2017-05-22 8:28 PM, Perry E. Metzger wrote:
> On Mon, 22 May 2017 20:04:41 -0600 Kurt Seifried
> <kseifried@...hat.com> wrote:
>>> Primarily, freeform discussion of the sort that occurred on this
>>> list as a natural outcropping of the CVE request process led to
>>> people linking to verification code, temporary mitigations,
>>> highlighting of incomplete fixes, and the sort of information
>>> that was requested earlier in this thread.  This ability to
>>> easily chip in to ongoing situations wasn't just useful for mitre
>>> staff doing CVE work, it was also useful for the "community of
>>> practice" looking for the latest information regarding
>>> self-defense.  I've prevented more than one attack thanks to a
>>> one-off reply from someone in response to a CVE request.    
>> You can still do this. oss-security is a list run by Solar Designer
>> (openwall.com). I happen to be a long time poster/moderator, but I
>> have no official control/etc (I don't even block posts, that's up
>> to solar, I just allow stuff or ignore it when it's up for
>> moderation).
> Maybe after CVEs are assigned the forms could be emailed to the list
> as a replacement for the old request emails, to kick off
> discussion and alert people to their existence?
>
> Perry
The primary goals of the DWF are:

1) Creating CVE Mentors that can do CVE assignments, train other CVE
Mentors, and help create CNAs
2) Creating CNAs for OpenSource so CVE assignments happen as close to
the vulnerability as possible
3) "retail" CVE assignments (e.g. people using iwantacve.org)
4) Publishing that data to MITRE quickly as per the CNA guidelines, and
the community in general (so at a minimum you can just monitor github,
there may be more options moving forwards)

And that's basically it. If people want to monitor the CVEs the DWF
assigns and run a git to email gateway essentially they are welcome to
assuming they get Solar's approval (it's his list so his rules), but
it's out of scope for the DWF at this point.

If people want the cat to have a nice bell they may have to step up and
actually put a bell on the cat.

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.