On 03/01/2017 17:52, Denis Magda wrote: > Hi Mark, > > I reached out both MITRE and cvedetails.com > <http://cvedetails.com> folks as you suggested earlier. Below you can > see the answer from MITRE. CVE guys have not replied yet. > > One of the things suggested by MITRE is the following > >> One last item to note is that Apache is a CVE CNA. You can find more >> information about the CNA program >> at http://cve.mitre.org/cve/cna.html. We realize that there are many >> Apache products, but you may want to investigate this and reach out to >> the appropriate folks within Apache to not only share the CVE ID pool, >> but also potentially communicate when vulnerabilities are found in >> Apache Ignite. > > Do you guys keep in eye on all Apache vulnerabilities or subscribe to > the updates? If so, could you update Apache Ignite community every time > an Ignite vulnerability has discovered?
That isn't how vulnerability handling works. See http://www.apache.org/security/committers.html Any vulnerability reports for Apache Ignite received by the security team will be passed privately to the project for resolution. Mark > > Regards, > Denis > >> On Dec 29, 2016, at 10:03 AM, Coffin, Chris <[email protected] >> <mailto:[email protected]>> wrote: >> >> Denis, >> >> The cvedetails.com <http://cvedetails.com/> web site is not affiliated >> with MITRE and you would need to contact them directly if you wanted >> to see a change in the URL you had provided. The contact information >> for cvedetails.com <http://cvedetails.com/> can be found >> at http://www.cvedetails.com/about-contact.php. >> >> The MITRE CVE team does not currently provide any notifications for >> CVEs, but has considered this in the recent past. One thought was to >> create a registry of product vendors that is used for contact purposes >> when a CVE ID is published and affects the vendor. If this is >> something that would be of interest to you, please let us know. >> >> One last item to note is that Apache is a CVE CNA. You can find more >> information about the CNA program >> at http://cve.mitre.org/cve/cna.html. We realize that there are many >> Apache products, but you may want to investigate this and reach out to >> the appropriate folks within Apache to not only share the CVE ID pool, >> but also potentially communicate when vulnerabilities are found in >> Apache Ignite. >> >> Regards, >> >> Chris Coffin >> The CVE Team >> >> *From:* Denis Magda [mailto:[email protected]] >> *Sent:* Wednesday, December 28, 2016 3:18 PM >> *To:* Common Vulnerabilities & Exposures <[email protected] >> <mailto:[email protected]>> >> *Cc:* [email protected] <mailto:[email protected]> >> *Subject:* Fwd: Product ID for Apache Ignite >> >> Dear Sir/Madam, >> >> I’m writing you on behalf of Apache Ignite [1] community to check if >> there is a way to obtain a product ID for our project. The whole >> purpose of that is to be proactive by handling vulnerabilities as soon >> as they appear in the CVE database. >> >> For instance, we can use services like that [2] to subscribe for >> vulnerabilities related updates. To do that, both vendor ID and >> product ID have to be known. In our case the vendor is 45 (Apache >> Foundation) while there is no product ID for Apache Ignite yet. >> >> Could you assist and register product ID for Apache Ignite? >> >> [1] https://ignite.apache.org <https://ignite.apache.org/> >> [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html >> >> Regards, >> Denis Magda >> Apache Ignite PMC Chair >> >> >> Begin forwarded message: >> >> *From: *Mark Thomas <[email protected] <mailto:[email protected]>> >> *Subject: Re: Product ID for Apache Ignite at CVE* >> *Date: *December 12, 2016 at 9:01:58 AM PST >> *To: *[email protected] <mailto:[email protected]> >> *Cc: *[email protected] <mailto:[email protected]> >> *Reply-To: *[email protected] >> <mailto:[email protected]> >> >> On 08/12/2016 01:59, Denis Magda wrote: >> >> Hello, >> >> I’m writing on behalf of Apache Ignite [1] community. We would >> like to >> register Apache Ignite in CVE database so that it appears in >> the list of >> Apache products [2] already registered there and has its own >> unique >> product ID. >> >> Who can assist us with this or provide a guidance? >> >> >> Sorry, not a clue. >> >> I suspect updates are made as new products issue vulnerability >> announcements. cvedetails.com <http://cvedetails.com/> isn't part >> of Mitre so I suggest you >> contact cvedetails.com <http://cvedetails.com/> directly with your >> query. >> >> Mark >> >> >> >> >> >> [1] https://ignite.apache.org <https://ignite.apache.org/> >> [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html >> >> Regards, >> Denis >
