Totally agree!

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
Kent Landfield
McAfee Enterprise

On 8/18/21, 3:07 PM, "Art Manion" <> wrote:

    Towards the end of the discussion today, this came up:  Participants in 
these sorts of large/distributed systems (the CVE Program) *must* have some 
real responsibility, aka skin in the game.  So, the requirement to me is that 
the entity requesting or assigning or populating the CVE entry *must also be 
willing to make the same claim themselves.*  This can be a git commit, a vendor 
advisory, a researcher blog post.  More than the content, the fact that the 
claim is published by the CVE requester/assigner matters.

    Otherwise the system allows participants to push responsibility on the 
program that the program doesn't own -- the program catalogs vulnerabilities, 
the program doesn't own (i.e., discover, create, fix) vulnerabilities.

      - Art

Reply via email to