From: coley at mitre.org (Steven M. Christey)
Subject: Re: OpenSSH - is X-Force really behind this?

Michal Zalewski said:

>What I find perplexing is the fact ISS was not credited by any major
>player reporting the vulnerability - OpenSSH team, CERT, CVE, Red Hat,
>you name it.

As I have discussed in previous posts, MITRE occasionally distributes
"blank" candidates to Candidate Naming Authorities (CNAs), including
Red Hat.  Among other things, this allows vendors and researchers to
use CVE identifiers without including MITRE in the "information loop."

The CVE identifiers for the recent OpenSSH issues were managed by Red
Hat, and MITRE was not aware of these issues until they became public.
We are therefore updating the CVE's based on public information.

For references associated with CVE identifiers, we generally include
posts to major bug lists (including full-disclosure), vendor alerts,
and/or the initial bug announcements from the researchers, pretty much
anything that is going to be commonly used as an "alternate name" for
the associated CVE identifier.  In the case of the X-Force advisory,
it was unclear whether they were the original discoverers of the
issue, so the reference had not been added, pending some consultation
that did not happen due to low prioritization.

>The cycle of a vulnerability from discovery to publication (or leak)
>is probably around two weeks to one month on average

This is probably the case, based on some incomplete statistical work
that I attempted based on published disclosure timelines from the
first half of 2002.  The extremes also appear frequently, whether the
issues are fixed within 15 minutes or 6 months.  And yes Virginia,
sometimes even open source vendors can take more than 6 months to fix
some bugs.

- Steve

Powered by blists - more mailing lists