[EXT] Re: CNCF proposed Global Security Vulnerability Summit #835
It's interesting that the example given is how the CNCF data for log4j is better than CVE (ref: https://github.com/cncf/tag-security/issues/835#issuecomment-991467721 ) however the CNCF entry is actually worse, because, for example, their version comparison incorrectly would flag log4j 2.12.3 as vulnerable when it isn't. However the CVE entry that we've been updating is correct https://www.cve.org/CVERecord?id=CVE-2021-44228 For the upcoming White House meeting this week (which I'm attending) in the ASF position paper we mention this CVE agility as being deliberate and important. https://cwiki.apache.org/confluence/display/COMDEV/Position+Paper Mark On Tue, 11 Jan 2022 at 14:59, Art Manion wrote: > > All, > > https://github.com/cncf/tag-security/issues/835 > > I plan to be involved in this event assuming it happens, for both CVE and > $dayjob reasons. I will of course represent CVE but we may want additional > involvement, including someone from the Secretariat (MITRE is specifically > mentioned). > > Regards, > > - Art
RE: CNCF proposed Global Security Vulnerability Summit #835
If the goal is around Cloud CVES then it’s a really good idea for us (CVE Board members and CVE Program Secretariate) to be there. I think there is a weird misunderstanding around cloud vulns and scope of CNAs. I think, at least in my conversations with Cloud vendors, that there is a fundamental communication barrier but that we are actually a lot more compatible then THEY often think. -Original Message- From: Landfield, Kent (Enterprise) Sent: Tuesday, January 11, 2022 10:41 AM To: Art Manion ; Noble, Kathleen ; CVE Editorial Board Discussion Subject: Re: CNCF proposed Global Security Vulnerability Summit #835 Sounds good. Thanka! Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! -- Kent Landfield McAfee Enterprise +1.817.637.8026 kent_landfi...@mcafee.com On 1/11/22, 9:35 AM, "Art Manion" wrote: CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. No dates yet, IIUC this is a discussion/proposal, not yet a decision to hold the event. It looks like (and from a side convesation) that one of the goals is more CVE IDs for cloud vulnerabilities, which aligns with the CVE mission. - Art On 2022-01-11 10:27, Landfield, Kent (Enterprise) wrote: > I too would attend. I am wondering what is the real outcome of this event they are trying to achieve. > > Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
Re: CNCF proposed Global Security Vulnerability Summit #835
Sounds good. Thanka! Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! -- Kent Landfield McAfee Enterprise +1.817.637.8026 kent_landfi...@mcafee.com On 1/11/22, 9:35 AM, "Art Manion" wrote: CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. No dates yet, IIUC this is a discussion/proposal, not yet a decision to hold the event. It looks like (and from a side convesation) that one of the goals is more CVE IDs for cloud vulnerabilities, which aligns with the CVE mission. - Art On 2022-01-11 10:27, Landfield, Kent (Enterprise) wrote: > I too would attend. I am wondering what is the real outcome of this event they are trying to achieve. > > Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
Re: CNCF proposed Global Security Vulnerability Summit #835
No dates yet, IIUC this is a discussion/proposal, not yet a decision to hold the event. It looks like (and from a side convesation) that one of the goals is more CVE IDs for cloud vulnerabilities, which aligns with the CVE mission. - Art On 2022-01-11 10:27, Landfield, Kent (Enterprise) wrote: I too would attend. I am wondering what is the real outcome of this event they are trying to achieve. Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
Re: CNCF proposed Global Security Vulnerability Summit #835
I too would attend. I am wondering what is the real outcome of this event they are trying to achieve. Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! -- Kent Landfield McAfee Enterprise +1.817.637.8026 kent_landfi...@mcafee.com On 1/11/22, 9:23 AM, "Noble, Kathleen" wrote: CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. I would attend, but I cant seem to find the date? -Original Message- From: Art Manion Sent: Tuesday, January 11, 2022 9:59 AM To: CVE Editorial Board Discussion Subject: CNCF proposed Global Security Vulnerability Summit #835 All, https://github.com/cncf/tag-security/issues/835 I plan to be involved in this event assuming it happens, for both CVE and $dayjob reasons. I will of course represent CVE but we may want additional involvement, including someone from the Secretariat (MITRE is specifically mentioned). Regards, - Art
RE: CNCF proposed Global Security Vulnerability Summit #835
I would attend, but I cant seem to find the date? -Original Message- From: Art Manion Sent: Tuesday, January 11, 2022 9:59 AM To: CVE Editorial Board Discussion Subject: CNCF proposed Global Security Vulnerability Summit #835 All, https://github.com/cncf/tag-security/issues/835 I plan to be involved in this event assuming it happens, for both CVE and $dayjob reasons. I will of course represent CVE but we may want additional involvement, including someone from the Secretariat (MITRE is specifically mentioned). Regards, - Art
