Yes, although you could also say that as the entity publishing a vulnerability
as a CVE record the CNA *is* making that claim themselves. This breaks down
when we talk about a CNA-LR. One solution could be to allow CNAs to publish
without a reference if they meet the higher record requirements, but require
CNA-LRs to publish with a reference always. Both scenarios could mechanically
validated by the CVE submission service.
Regards,
Dave
-----Original Message-----
From: Landfield, Kent (Enterprise) <kent_landfi...@mcafee.com>
Sent: Wednesday, August 18, 2021 4:19 PM
To: Art Manion <aman...@cert.org>; CVE Editorial Board Discussion
<cve-editorial-board-list@mitre.org>
Subject: Re: public reference requirement
Totally agree!
Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!,
Bedankt,Danke!, ありがとう, धन्यवाद!
--
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com
On 8/18/21, 3:07 PM, "Art Manion" <aman...@cert.org> wrote:
Towards the end of the discussion today, this came up: Participants in
these sorts of large/distributed systems (the CVE Program) *must* have some
real responsibility, aka skin in the game. So, the requirement to me is that
the entity requesting or assigning or populating the CVE entry *must also be
willing to make the same claim themselves.* This can be a git commit, a vendor
advisory, a researcher blog post. More than the content, the fact that the
claim is published by the CVE requester/assigner matters.
Otherwise the system allows participants to push responsibility on the
program that the program doesn't own -- the program catalogs vulnerabilities,
the program doesn't own (i.e., discover, create, fix) vulnerabilities.
- Art
