[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200301312339.SAA07246@linus.mitre.org>
From: coley at linus.mitre.org (Steven M. Christey)
Subject: CERT, Full Disclosure, and Security By Obscurity
Georgi Guninski said:
>Recently when I notified some vendors about a vulnerability, I wrote
>something like a license agreement that the info should not be
>disclosed to m$, cert, mitre, sf and others.
Just to clarify some possible misconceptions about how we use incoming
vulnerability information for CVE:
1) MITRE is a not-for-profit organization. The CVE project does not
sell vulnerability information to anyone. Funding for the CVE
project is exclusively from US government organizations, primarily
the General Services Administration (GSA).
2) When someone requests a CVE candidate from MITRE for an issue that
has not been published, the CVE team does not redistribute that
information to anybody else, including our sponsors and others
within MITRE.
3) Some major vendors and other organizations have the ability to
assign CVE candidate numbers themselves without notifying MITRE of
the related vulnerabilities. These Candidate Naming Authorities
(CNAs) are provided with empty "pools" of candidates.
For CNA-assigned candidates, MITRE learns of these vulnerabilities
at the same time as everyone else, i.e. when they are published.
The caveat is that CNAs must understand CVE's rules for assigning
the proper number of identifiers, so there is a period of informal
"training" before a CNA can reserve pools of candidates. Also,
there is a greater likelihood of mistakes occurring, but this does
not happen too frequently.
4) For researchers who want to acquire candidates from us before
publishing, we strongly recommend that they follow "responsible
disclosure practices," for some definition of "responsible." This
is NOT an attempt to use CVE to impose the disclosure draft on
other parties. Rather, it is a technical decision. We have found
that the accuracy of CVE is directly affected by disclosure
practices. For example, one of the primary causes of duplicate
identifiers is the lack of coordination between researchers and
vendors. We also have to do a lot of extra work to resolve
inconsistencies between researcher and vendor reports. The number
and scope of inconsistencies tends to be larger when the disclosure
was not coordinated. This informal policy for CVE had been in use
for about 2 years before the disclosure draft was released.
A more formal disclosure policy for CVE is in the works, but hopefully
the above comments will clarify things a little.
- Steve
Powered by blists - more mailing lists