Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <66f867c6-a0da-52da-657b-b7ca4a8ee07d@redhat.com>
Date: Mon, 22 May 2017 20:04:41 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: How to request a CVE for open source projects

On 2017-05-22 7:13 PM, Kurt H Maier wrote:
> On Mon, May 22, 2017 at 06:53:42PM -0600, Kurt Seifried wrote:
>>
>> On 2017-05-22 5:44 PM, Kurt H Maier wrote:
>> Neither, that's part of what I'm figuring out. Most likely it'll look
>> like a trusted pool of people (aka CVE Mentors) that can either
>> contribute or more easily gatekeep). Also the doc are out of date and
>> the process is evolving rapidly so I haven't really bothered updating
>> them since things keep changing.
> It might be worth noting that in the README file on the documentation
> repo.  It wouldn't take long and may prevent confusion in the meantime.
>
>> Good question. What exactly is it you want to input? CVE requests? CVE
>> assignments? Modify existing CVE entries?
> Primarily, freeform discussion of the sort that occurred on this list as
> a natural outcropping of the CVE request process led to people linking
> to verification code, temporary mitigations, highlighting of incomplete
> fixes, and the sort of information that was requested earlier in this
> thread.  This ability to easily chip in to ongoing situations wasn't
> just useful for mitre staff doing CVE work, it was also useful for the
> "community of practice" looking for the latest information regarding
> self-defense.  I've prevented more than one attack thanks to a one-off
> reply from someone in response to a CVE request.  

You can still do this. oss-security is a list run by Solar Designer
(openwall.com). I happen to be a long time poster/moderator, but I have
no official control/etc (I don't even block posts, that's up to solar, I
just allow stuff or ignore it when it's up for moderation).

The DWF will not be taking CVE requests on oss-security (ditto for
MITRE/etc.), why? They're way to messy. We need well structured requests
i we want this to scale (I should know, I've done over 5000 CVE
assignments). One goal is to get CVE assignments down to minutes with
minimal latency (e.g. a large pool of assigners so timezones aren't a
problem). This stuff can then be posted to oss-security WITH a CVE.

Or you can post it to oss-security WITHOUT a CVE (like you did in past)
and still have all the discussion. The only change is if you want a CVE
you hav to fill out a simple form and wait a bit. You had to wait when
you posted here so the waiting part hasn't changed much. (well ok, right
now the DWF is slow, but again I'm working on that).

>
> The CVE assignment process was more than just a collaborative
> database-population effort.  With the shift to webforms and javascript
> the natural environment which promoted that discourse is being removed.
I disagree. If not assigning CVE's on the list kills this list, then...
wow. Good to know I personally kept this list up and running for a few
years.
>
>> Not really. the docs are out of date and I'm more concerned about
>> evolving this right now then updating documentation.
> Again, I strongly suggest you note on the README that this is the case.
> As matters stand the documentation represents itself as accurate.
Which README specifically (there's a bunch), feel free to reply offlist.

>
> khm

-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@...hat.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.