* Andres Salomon: > How can you tell? The mitre description is absolutely useless. I > fucking hate this stupid vendor-sec/mitre non-disclosure policy,
In most cases, MITRE does not have access to pre-disclosure information. They just hand out unique names, and update the database based on public data afterwards. However, it is true that they demand that CNAs (who can assign CANs) "must follow responsible disclosure practices that are accepted by a significant portion of the security community" -- whatever this means. Of course, you still receive a CAN assignment no matter how you disclose a vulnerability. That being said, it's not the job of MITRE to explain the nature of vulnerabilities if upstream fails us. The CVE database only reflects what the vendors (or other respected data sources) publish. MITRE certainly does not mandate researchers or CNAs to keep issues secret. -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
