lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200301312339.SAA07246@linus.mitre.org>
From: coley at linus.mitre.org (Steven M. Christey)
Subject: CERT, Full Disclosure, and Security By Obscurity

Georgi Guninski said:

>Recently when I notified some vendors about a vulnerability, I wrote
>something like a license agreement that the info should not be
>disclosed to m$, cert, mitre, sf and others.

Just to clarify some possible misconceptions about how we use incoming
vulnerability information for CVE:

1) MITRE is a not-for-profit organization.  The CVE project does not
   sell vulnerability information to anyone.  Funding for the CVE
   project is exclusively from US government organizations, primarily
   the General Services Administration (GSA).

2) When someone requests a CVE candidate from MITRE for an issue that
   has not been published, the CVE team does not redistribute that
   information to anybody else, including our sponsors and others
   within MITRE.

3) Some major vendors and other organizations have the ability to
   assign CVE candidate numbers themselves without notifying MITRE of
   the related vulnerabilities.  These Candidate Naming Authorities
   (CNAs) are provided with empty "pools" of candidates.

   For CNA-assigned candidates, MITRE learns of these vulnerabilities
   at the same time as everyone else, i.e. when they are published.
   The caveat is that CNAs must understand CVE's rules for assigning
   the proper number of identifiers, so there is a period of informal
   "training" before a CNA can reserve pools of candidates.  Also,
   there is a greater likelihood of mistakes occurring, but this does
   not happen too frequently.

4) For researchers who want to acquire candidates from us before
   publishing, we strongly recommend that they follow "responsible
   disclosure practices," for some definition of "responsible."  This
   is NOT an attempt to use CVE to impose the disclosure draft on
   other parties.  Rather, it is a technical decision.  We have found
   that the accuracy of CVE is directly affected by disclosure
   practices.  For example, one of the primary causes of duplicate
   identifiers is the lack of coordination between researchers and
   vendors.  We also have to do a lot of extra work to resolve
   inconsistencies between researcher and vendor reports.  The number
   and scope of inconsistencies tends to be larger when the disclosure
   was not coordinated.  This informal policy for CVE had been in use
   for about 2 years before the disclosure draft was released.

A more formal disclosure policy for CVE is in the works, but hopefully
the above comments will clarify things a little.

- Steve

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ