[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    Re: [Full-Disclosure] CERT, Full Disclosure, and Security By Obscurity
From:       "Steven M. Christey" <coley () linus ! mitre ! org>
Date:       2003-01-31 23:39:00
[Download RAW message or body]


Georgi Guninski said:

>Recently when I notified some vendors about a vulnerability, I wrote
>something like a license agreement that the info should not be
>disclosed to m$, cert, mitre, sf and others.

Just to clarify some possible misconceptions about how we use incoming
vulnerability information for CVE:

1) MITRE is a not-for-profit organization.  The CVE project does not
   sell vulnerability information to anyone.  Funding for the CVE
   project is exclusively from US government organizations, primarily
   the General Services Administration (GSA).

2) When someone requests a CVE candidate from MITRE for an issue that
   has not been published, the CVE team does not redistribute that
   information to anybody else, including our sponsors and others
   within MITRE.

3) Some major vendors and other organizations have the ability to
   assign CVE candidate numbers themselves without notifying MITRE of
   the related vulnerabilities.  These Candidate Naming Authorities
   (CNAs) are provided with empty "pools" of candidates.

   For CNA-assigned candidates, MITRE learns of these vulnerabilities
   at the same time as everyone else, i.e. when they are published.
   The caveat is that CNAs must understand CVE's rules for assigning
   the proper number of identifiers, so there is a period of informal
   "training" before a CNA can reserve pools of candidates.  Also,
   there is a greater likelihood of mistakes occurring, but this does
   not happen too frequently.

4) For researchers who want to acquire candidates from us before
   publishing, we strongly recommend that they follow "responsible
   disclosure practices," for some definition of "responsible."  This
   is NOT an attempt to use CVE to impose the disclosure draft on
   other parties.  Rather, it is a technical decision.  We have found
   that the accuracy of CVE is directly affected by disclosure
   practices.  For example, one of the primary causes of duplicate
   identifiers is the lack of coordination between researchers and
   vendors.  We also have to do a lot of extra work to resolve
   inconsistencies between researcher and vendor reports.  The number
   and scope of inconsistencies tends to be larger when the disclosure
   was not coordinated.  This informal policy for CVE had been in use
   for about 2 years before the disclosure draft was released.

A more formal disclosure policy for CVE is in the works, but hopefully
the above comments will clarify things a little.

- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[prev in list] [next in list] [prev in thread] [next in thread]