| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <200602032152.k13LqfXx024683@cairo.mitre.org> Date: Fri Feb 3 21:52:48 2006 From: coley at mitre.org (Steven M. Christey) Subject: Re: Open Letter on the Interpretation of "Vulnerability Statistics" Florian Weimer said: >> Unless things have changed since I went through the process, the >> authority involved does not extend to Debian in general but only to >> specific individuals. > >Certainly, at Debian, only certain individuals issue CVEs. I can't >tell if this is Debian's choice, or a result of MITRE's rules. Like some other aspects of CVE, there is a distinct lack of distinction between individuals and organizations. In the case of these Candidate Numbering Authorities (CNAs), a specific individual at the CNA goes through some period of training to ensure that he/she learns how to assign the proper number of identifiers in accordance with CVE's content decisions. Usually this training is for a specific individual of the organization. But as long as the CNA collectively follows CVE's content decisions when it assigns identifiers, how it "implements" those actions is not within CVE's purview. For example, Red Hat and CERT are two other organizations that have multiple people assigning CVE identifiers. - Steve
Powered by blists - more mailing lists