Completely agree that the participants must own what they contribute to the
CVE list.
That ownership/attribution should be clearly visible on the (new)
Consumers of a poorly written (vague, unactionable) CVE entry should talk
to the CNA and not blame the CVE Program or MITRE.

This is no different than how Twitter users are seen as being responsible
for their tweets and not Twitter Inc.,
While a hyperlink in a tweet may increase a tweet's credibility, why would
lack of one make a tweet not authoritative?

IMHO the reason services like Twitter have a lot of participation is
because they do not require everyone to set up their own websites to be
able to publish opinions (which was the case in the 1990s :-))

Thank you,

On Wed, Aug 18, 2021 at 1:07 PM Art Manion <> wrote:

> Towards the end of the discussion today, this came up:  Participants in
> these sorts of large/distributed systems (the CVE Program) *must* have some
> real responsibility, aka skin in the game.  So, the requirement to me is
> that the entity requesting or assigning or populating the CVE entry *must
> also be willing to make the same claim themselves.*  This can be a git
> commit, a vendor advisory, a researcher blog post.  More than the content,
> the fact that the claim is published by the CVE requester/assigner matters.
> Otherwise the system allows participants to push responsibility on the
> program that the program doesn't own -- the program catalogs
> vulnerabilities, the program doesn't own (i.e., discover, create, fix)
> vulnerabilities.
>   - Art

Sr Director, Product Security Assurance, Vulnerability Remediation, and
Palo Alto Networks

Reply via email to