[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] !CVE: A new platform to track security issues not acknowledged by vendors
From:       Jean Luc Picard <atari2600a () gmail ! com>
Date:       2023-11-08 20:46:13
Message-ID: CADxcaYWdf5tUAdLLMeBVm9pa64_LyWKZ-+GSFpx3DYyWYf3R9g () mail ! gmail ! com
[Download RAW message or body]


I have a number of natsec-ey google reports that went nowhere didnt't get
credit or a dime out of it.  Most are nullified by the current state of
affairs struck by xAI (ie how to cook crack) but others I still feel should
be looked at by the greater community.  Is this the apprapriate aggregate
platform now?

On Wed, Nov 8, 2023, 12:35 David A. Wheeler <dwheeler@dwheeler.com> wrote:

>
> > On Nov 8, 2023, at 12:52 PM, Vegard Nossum <vegard.nossum@oracle.com>
> wrote:
> >
> > I am not a lawyer, but I'd assume you would run into some issues with
> > the naming of all this -- wasn't that the exact issue that somebody else
> > ran into when they tried to assign identifiers to bugs that MITRE
> > wouldn't acknowledge? Here's what they said back then:
> >
> > <
> https://cve.mitre.org/news/archives/2021/news.html#April022021_Message_to_DWF_from_the_CVE_Board
> >
> >
> > I somehow doubt the presence of the ! makes much of a difference.
>
> The problem in that case wasn't that someone else used "XYZ-" format ID.
> Bugtraq did that before,
> and many others do it today. The problem was that the group labeled some
> non-CVEs as "CVE-...", which
> is confusing and probably violates trademarks.
>
> The "!CVE" group isn't using "CVE", they're using "!CVE". The question is,
> is that distinct enough, or will typical users be confused by it?
> I don't know the answer to that. However, I do worry that perhaps
> "!CVE" is not distinct enough.
>
> I would *strongly* recommend that this group use "NotCVE" or "NCVE"
> instead of "!CVE".
> That would be more clearly distinct, and they already call themselves that.
> I'll also note that searching for "!CVE" and storing that prefix will also
> cause some problems.
>
> This gets into trademark law. I'm not a lawyer. However, I do talk to them
> :-). Trademark law doesn't
> prevent you from *doing* an action, it just prevents certain kinds of
> confusing *names* because
> it's helpful when names mean things. As long as the name/image/whatever is
> clearly distinct
> there's no problem. So where possible, please use clearly distinct names
> for distinct things.
> I think that's a good practice even when it's *not* legally required.
>
> --- David A. Wheeler
>
>


[prev in list] [next in list] [prev in thread] [next in thread]