CVE is not twitter and the vulnerability management community does not rely on 
it. This is a silly analogy. Different purposes, different services, different 
goals.

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
--
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com<mailto:kent_landfi...@mcafee.com>


From: "Chandan B.N." <cnandakum...@paloaltonetworks.com>
Date: Wednesday, August 18, 2021 at 3:58 PM
To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org>
Subject: Re: public reference requirement


CAUTION: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.

________________________________
Completely agree that the participants must own what they contribute to the CVE 
list.
That ownership/attribution should be clearly visible on the (new) CVE.org site.
Consumers of a poorly written (vague, unactionable) CVE entry should talk to 
the CNA and not blame the CVE Program or MITRE.

This is no different than how Twitter users are seen as being responsible for 
their tweets and not Twitter Inc.,
While a hyperlink in a tweet may increase a tweet's credibility, why would lack 
of one make a tweet not authoritative?

IMHO the reason services like Twitter have a lot of participation is because 
they do not require everyone to set up their own websites to be able to publish 
opinions (which was the case in the 1990s :-))
Thank you,
Chandan

On Wed, Aug 18, 2021 at 1:07 PM Art Manion 
<aman...@cert.org<mailto:aman...@cert.org>> wrote:

Towards the end of the discussion today, this came up:  Participants in these 
sorts of large/distributed systems (the CVE Program) *must* have some real 
responsibility, aka skin in the game.  So, the requirement to me is that the 
entity requesting or assigning or populating the CVE entry *must also be 
willing to make the same claim themselves.*  This can be a git commit, a vendor 
advisory, a researcher blog post.  More than the content, the fact that the 
claim is published by the CVE requester/assigner matters.

Otherwise the system allows participants to push responsibility on the program 
that the program doesn't own -- the program catalogs vulnerabilities, the 
program doesn't own (i.e., discover, create, fix) vulnerabilities.

  - Art


--
Sr Director, Product Security Assurance, Vulnerability Remediation, and PSIRT
Palo Alto Networks https://security.paloaltonetworks.com/

Reply via email to