Agree.  We need an authoritative source.

Thank you,

For Cyber Emergencies email:<>

From: Art Manion <>
Date: Wednesday, August 18, 2021 at 4:07 PM
To: CVE Editorial Board Discussion <>
Subject: [EXTERNAL] public reference requirement

Towards the end of the discussion today, this came up:  Participants in these 
sorts of large/distributed systems (the CVE Program) *must* have some real 
responsibility, aka skin in the game.  So, the requirement to me is that the 
entity requesting or assigning or populating the CVE entry *must also be 
willing to make the same claim themselves.*  This can be a git commit, a vendor 
advisory, a researcher blog post.  More than the content, the fact that the 
claim is published by the CVE requester/assigner matters.

Otherwise the system allows participants to push responsibility on the program 
that the program doesn't own -- the program catalogs vulnerabilities, the 
program doesn't own (i.e., discover, create, fix) vulnerabilities.

  - Art

Reply via email to