[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] OS command injection vulnerability in Chicken Scheme
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-04-30 0:57:38
Message-ID: 517F1702.9000705 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/29/2013 03:18 PM, Christey, Steven M. wrote:
> Despite popular perception, the presence of useful details does not
> necessarily get CVEs published more quickly (although missing or
> conflicting details certainly make things worse, and poorly-written
> advisories can reduce overall throughput).  We have particular
> description styles and analytical requirements that are not visible
> to the general public.  We have a process where we actively monitor
> public sources including oss-security, and we prioritize which CVE
> entries are published first.  Priorities are currently guided by 
> http://cve.mitre.org/data/board/archives/2012-09/msg00000.html, but
> other disclosures are certainly considered as well.
> 
> We are currently focused on working with the CVE Editorial Board on
> extending the CVE ID syntax to handle more than 10,000
> vulnerabilities per year, and we are also training several new
> hires.  We expect our output to rise noticeably within a few
> months, and we will continue to refine our analysis and publication
> processes to improve our production in a way that balances the
> needs of CVE's many diverse users.
> 
> - Steve

One thing I think would help is having a 1-2 page advisory guideline,
e.g. what do we need for assigning CVE's/writing CVEs up and in
general what do the end users/etc want. I set this up as a bare
minimum type thing:

https://cveform-kseifried.rhcloud.com/cve-request-form/

Not all fields are required. If anyone else has comments/etc please
email me and I'll see about getting this written up as a short HOWTO.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRfxcBAAoJEBYNRVNeJnmTEo4P/2AZGkmdfVj5rG/AU8jigFC9
j4yYZRlcWAzs9GNTcZIk1NRnQXNtwu16C9hKurKzjZ1Angyir+3f4mEd6UjkVeTp
bbD2FJ6zQATiRuRBpsZvd3HrYll2Jcl+qtBc1FVWeM7PX/5nGzsffgwvz5JD5qPg
i461pLQ3A5qrthbIGMeZr7CfP6frP+oecaJHqi0aw8CDC+fGOeTG1jqvOyi7BKah
2w3M3VnBod5M+OkHbANRKUF4VjqkkshjMWa9kgSSB4665SEsm3l2uEuRXCKlIsAZ
W92RIm9cM379qlLyMmW3v7ifwU1rxEn4fkIZyPl4ja+29xdk1GiMCOeZ14cGAwSg
m7Vb9oj2ufJkxM86pKyXdlZC9kDzspzj7jbP8r5hoqoFhbufv3SYbk8LTbukudxi
y+E/QRN1YRZ2lmd1+RaQO8GAEEZd84o5FVsiqv1SKvNhkdVdg8blU9nyfhaskkPk
gl2mVzPy2Nz6acRe2l9/fYtWpoYB7kxA8ZGW/pU8Nm2IENxudVOOcE9V4rp4bky7
AQw2qlP6cY4cvVmbOGgHYA+p/E0OqW9SQp3CLSS8E1+1KlHcloMyOp3gHCQqRNbl
8fk245nvLZNAg4thJNARR3O1nBY2zVJhxPRK/aE1Y0TN5yW8iblEUf8SvgFqfGbk
OQvXab9S2ClFXNg2EQ/t
=GQFz
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]