Re: public reference requirement

2021-08-20 Thread Art Manion



If CVE is a serious global catalog, we could maybe archive referenced content 
systemically.  There are some legal considerations but it's clearly possible to 
do legally and technically.  Might even be able to outsource it:

  
https://help.archive.org/hc/en-us/articles/360001513491-Save-Pages-in-the-Wayback-Machine

 - Art


On 2021-08-20 13:52, Ken Williams wrote:

Right, like OSVDB or Secunia.  Even if a site doesn't go away, there's a good 
chance they do something that breaks URLs (like switching to another CMS) and 
they may not include redirects.

Do we capture and save the data for every URL we list with a CVE?  If not, we 
should.

Regards,
Ken

On Fri, Aug 20, 2021 at 12:44 PM Tod Beardsley mailto:tod_beards...@rapid7.com>> wrote:

Incidentally, websites can and do go away.

If a CVE has a reference that's no longer valid, surely that doesn't 
invalidate the CVE?

On Fri, Aug 20, 2021 at 12:34 PM Chandan B.N. mailto:cnandakum...@paloaltonetworks.com>> wrote:

I agree that the CVE program has different purposes and goals than 
Twitter.

I agree that the public reference requirement is a good thing.


The example I gave on the call was this one: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17444 
<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17444>


IIRC our researchers noticed undocumented admin privileged accounts 
with easy passwords that were seen in many real-world deployments of this 
product. The vendor acknowledged the problem and fixed it, but failed to 
mention either the issue or CVE-2019-17444 in release notes. Our researchers 
did not pursue publishing any blog on this topic - likely they had moved into 
doing new research.


While this may be a corner case: The vendor and the researcher have 
decided they no longer have skin in the game. Don't the consumers and 
vulnerability management community still have skin in the game?  Especially 
when it is a real confirmed critical vulnerability in a popular tool used in 
many supply chains that could lead to yet another SolarWinds type of hack?


What is the guidance to CNAs or CNA-LR when they get a request (and 
agreement) to assign a CVE to a real vulnerability (in emails, attached PoCs) 
but no clear public reference exists? not assign a CVE?


Thank you,

Chandan


On Fri, Aug 20, 2021 at 9:13 AM Noble, Kathleen mailto:kathleen.no...@intel.com>> wrote:

I was going to jump in and say I see this as less a social medial 
platform and more a Major Sports League. You want to play at the NBA you play 
by the NBA's rules. The rules can change over time, but it doesn’t make a lot 
of sense to change the game and remove the basket because a few potential 
players are anti-basket.

I agree we table the issue.

Katie Noble
Director, Intel PSIRT and Bug Bounty
503-207-8783
kathleen.no...@intel.com
Keybase: katienoble

-Original Message-
From: Landfield, Kent (Enterprise) 
Sent: Friday, August 20, 2021 10:19 AM
To: Gazlay, Jay mailto:jay.gaz...@cisa.dhs.gov>>; Manion, Art 
mailto:aman...@cert.org>>; Chandan B.N. mailto:cnandakum...@paloaltonetworks.com>>; CVE Editorial Board Discussion mailto:cve-editorial-board-list@mitre.org>>
Subject: Re: public reference requirement

+1

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, 
Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
-- 
Kent Landfield

McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com <mailto:kent_landfi...@mcafee.com>


On 8/20/21, 5:42 AM, "Gazlay, Jay" mailto:jay.gaz...@cisa.dhs.gov>> wrote:

     CAUTION: External email. Do not click links or open 
attachments unless you recognize the sender and know the content is safe.

     Art,

     I concur with your point and path forward.

     Cheers,
     Jay

     -Original Message-
     From: Art Manion mailto:aman...@cert.org>>
     Sent: Thursday, August 19, 2021 9:47 PM
     To: Chandan B.N. mailto:cnandakum...@paloaltonetworks.com>>; CVE Editorial Board Discussion 
mailto:cve-editorial-board-list@mitre.org>>
     Subject: Re: public reference requirement

     CAUTION: This email originated from outside of DHS. DO NOT 
click links or open attachments unless you recognize and/or trust the sender. 
Contact your component SOC with questions or concerns.


     On 2021-08-18 16:58, Chandan B.N. wrote:
     > This is no different than how Twitter users are seen as 
being responsible for 

Re: public reference requirement

2021-08-20 Thread Ken Williams
Right, like OSVDB or Secunia.  Even if a site doesn't go away, there's a
good chance they do something that breaks URLs (like switching to another
CMS) and they may not include redirects.

Do we capture and save the data for every URL we list with a CVE?  If not,
we should.

Regards,
Ken

On Fri, Aug 20, 2021 at 12:44 PM Tod Beardsley 
wrote:

> Incidentally, websites can and do go away.
>
> If a CVE has a reference that's no longer valid, surely that doesn't
> invalidate the CVE?
>
> On Fri, Aug 20, 2021 at 12:34 PM Chandan B.N. <
> cnandakum...@paloaltonetworks.com> wrote:
>
>> I agree that the CVE program has different purposes and goals than
>> Twitter.
>>
>> I agree that the public reference requirement is a good thing.
>>
>>
>> The example I gave on the call was this one:
>> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17444
>>
>>
>> IIRC our researchers noticed undocumented admin privileged accounts with
>> easy passwords that were seen in many real-world deployments of this
>> product. The vendor acknowledged the problem and fixed it, but failed to
>> mention either the issue or CVE-2019-17444 in release notes. Our
>> researchers did not pursue publishing any blog on this topic - likely they
>> had moved into doing new research.
>>
>>
>> While this may be a corner case: The vendor and the researcher have
>> decided they no longer have skin in the game. Don't the consumers and
>> vulnerability management community still have skin in the game?  Especially
>> when it is a real confirmed critical vulnerability in a popular tool
>> used in many supply chains that could lead to yet another SolarWinds
>> type of hack?
>>
>>
>> What is the guidance to CNAs or CNA-LR when they get a request (and
>> agreement) to assign a CVE to a real vulnerability (in emails, attached
>> PoCs) but no clear public reference exists? not assign a CVE?
>>
>>
>> Thank you,
>>
>> Chandan
>>
>> On Fri, Aug 20, 2021 at 9:13 AM Noble, Kathleen 
>> wrote:
>>
>>> I was going to jump in and say I see this as less a social medial
>>> platform and more a Major Sports League. You want to play at the NBA you
>>> play by the NBA's rules. The rules can change over time, but it doesn’t
>>> make a lot of sense to change the game and remove the basket because a few
>>> potential players are anti-basket.
>>>
>>> I agree we table the issue.
>>>
>>> Katie Noble
>>> Director, Intel PSIRT and Bug Bounty
>>> 503-207-8783
>>> kathleen.no...@intel.com
>>> Keybase: katienoble
>>>
>>> -Original Message-
>>> From: Landfield, Kent (Enterprise) 
>>> Sent: Friday, August 20, 2021 10:19 AM
>>> To: Gazlay, Jay ; Manion, Art ;
>>> Chandan B.N. ; CVE Editorial Board
>>> Discussion 
>>> Subject: Re: public reference requirement
>>>
>>> +1
>>>
>>> Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!,
>>> Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद!
>>> --
>>> Kent Landfield
>>> McAfee Enterprise
>>> +1.817.637.8026
>>> kent_landfi...@mcafee.com
>>>
>>>
>>> On 8/20/21, 5:42 AM, "Gazlay, Jay"  wrote:
>>>
>>> CAUTION: External email. Do not click links or open attachments
>>> unless you recognize the sender and know the content is safe.
>>>
>>> Art,
>>>
>>> I concur with your point and path forward.
>>>
>>> Cheers,
>>> Jay
>>>
>>> -Original Message-
>>> From: Art Manion 
>>> Sent: Thursday, August 19, 2021 9:47 PM
>>> To: Chandan B.N. ; CVE Editorial
>>> Board Discussion 
>>> Subject: Re: public reference requirement
>>>
>>> CAUTION: This email originated from outside of DHS. DO NOT click
>>> links or open attachments unless you recognize and/or trust the sender.
>>> Contact your component SOC with questions or concerns.
>>>
>>>
>>> On 2021-08-18 16:58, Chandan B.N. wrote:
>>> > This is no different than how Twitter users are seen as being
>>> responsible for their tweets and not Twitter Inc.,
>>>
>>> I was trying to not bring this up :)
>>>
>>> I'd say Twitter is much more of a platform with highly independent
>>> contributors than the CVE Program currently is.  Twitter might not be a
>>>

Re: public reference requirement

2021-08-20 Thread Tod Beardsley
Incidentally, websites can and do go away.

If a CVE has a reference that's no longer valid, surely that doesn't
invalidate the CVE?

On Fri, Aug 20, 2021 at 12:34 PM Chandan B.N. <
cnandakum...@paloaltonetworks.com> wrote:

> I agree that the CVE program has different purposes and goals than Twitter.
>
> I agree that the public reference requirement is a good thing.
>
>
> The example I gave on the call was this one:
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17444
>
>
> IIRC our researchers noticed undocumented admin privileged accounts with
> easy passwords that were seen in many real-world deployments of this
> product. The vendor acknowledged the problem and fixed it, but failed to
> mention either the issue or CVE-2019-17444 in release notes. Our
> researchers did not pursue publishing any blog on this topic - likely they
> had moved into doing new research.
>
>
> While this may be a corner case: The vendor and the researcher have
> decided they no longer have skin in the game. Don't the consumers and
> vulnerability management community still have skin in the game?  Especially
> when it is a real confirmed critical vulnerability in a popular tool used
> in many supply chains that could lead to yet another SolarWinds type of
> hack?
>
>
> What is the guidance to CNAs or CNA-LR when they get a request (and
> agreement) to assign a CVE to a real vulnerability (in emails, attached
> PoCs) but no clear public reference exists? not assign a CVE?
>
>
> Thank you,
>
> Chandan
>
> On Fri, Aug 20, 2021 at 9:13 AM Noble, Kathleen 
> wrote:
>
>> I was going to jump in and say I see this as less a social medial
>> platform and more a Major Sports League. You want to play at the NBA you
>> play by the NBA's rules. The rules can change over time, but it doesn’t
>> make a lot of sense to change the game and remove the basket because a few
>> potential players are anti-basket.
>>
>> I agree we table the issue.
>>
>> Katie Noble
>> Director, Intel PSIRT and Bug Bounty
>> 503-207-8783
>> kathleen.no...@intel.com
>> Keybase: katienoble
>>
>> -----Original Message-
>> From: Landfield, Kent (Enterprise) 
>> Sent: Friday, August 20, 2021 10:19 AM
>> To: Gazlay, Jay ; Manion, Art ;
>> Chandan B.N. ; CVE Editorial Board
>> Discussion 
>> Subject: Re: public reference requirement
>>
>> +1
>>
>> Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!,
>> Bedankt,Danke!, ありがとう, धन्यवाद!
>> --
>> Kent Landfield
>> McAfee Enterprise
>> +1.817.637.8026
>> kent_landfi...@mcafee.com
>>
>>
>> On 8/20/21, 5:42 AM, "Gazlay, Jay"  wrote:
>>
>> CAUTION: External email. Do not click links or open attachments
>> unless you recognize the sender and know the content is safe.
>>
>> Art,
>>
>> I concur with your point and path forward.
>>
>> Cheers,
>> Jay
>>
>> -Original Message-
>> From: Art Manion 
>> Sent: Thursday, August 19, 2021 9:47 PM
>> To: Chandan B.N. ; CVE Editorial
>> Board Discussion 
>> Subject: Re: public reference requirement
>>
>> CAUTION: This email originated from outside of DHS. DO NOT click
>> links or open attachments unless you recognize and/or trust the sender.
>> Contact your component SOC with questions or concerns.
>>
>>
>> On 2021-08-18 16:58, Chandan B.N. wrote:
>> > This is no different than how Twitter users are seen as being
>> responsible for their tweets and not Twitter Inc.,
>>
>> I was trying to not bring this up :)
>>
>> I'd say Twitter is much more of a platform with highly independent
>> contributors than the CVE Program currently is.  Twitter might not be a
>> common carrier ISP, but CVE is not a social media platform.
>>
>> The author needs to bear responsibility for errors or bad behavior
>> and having only a CVE entry (today) is too much of a proxy.  Responsibility
>> is arguably more important than the content.
>>
>> I think the program has moved and is moving towards being more
>> "content neutral" -- the upcoming Services and potential ADP pilot are
>> moves in that direction.  I'm confident we can sort out some of the content
>> quality requirements, we need more CNA identity in place.
>>
>> I'll propose to table this for a year?
>>
>> Regards,
>>
>>   - Art
>>
>>
>
> --
> Sr Director, Product Security Assurance, Vulnerability Remediation, and
> PSIRT
> Palo Alto Networks https://security.paloaltonetworks.com/
>

-- 
NOTICE OF CONFIDENTIALITY: At Rapid7, the privacy of our customers, 
partners, and employees is paramount. If you received this email in error, 
please notify the sender and delete it from your inbox right away. Learn 
how Rapid7 handles privacy at rapid7.com/privacy-policy 
<https://www.rapid7.com/privacy-policy/>. To opt-out of Rapid7 marketing 
emails, please click here 
<https://information.rapid7.com/communication-preferences.html> or email 
priv...@rapid7.com <mailto:priv...@rapid7.com>.


Re: public reference requirement

2021-08-20 Thread Chandan B.N.
I agree that the CVE program has different purposes and goals than Twitter.

I agree that the public reference requirement is a good thing.


The example I gave on the call was this one:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17444


IIRC our researchers noticed undocumented admin privileged accounts with
easy passwords that were seen in many real-world deployments of this
product. The vendor acknowledged the problem and fixed it, but failed to
mention either the issue or CVE-2019-17444 in release notes. Our
researchers did not pursue publishing any blog on this topic - likely they
had moved into doing new research.


While this may be a corner case: The vendor and the researcher have decided
they no longer have skin in the game. Don't the consumers and vulnerability
management community still have skin in the game?  Especially when it is a
real confirmed critical vulnerability in a popular tool used in many supply
chains that could lead to yet another SolarWinds type of hack?


What is the guidance to CNAs or CNA-LR when they get a request (and
agreement) to assign a CVE to a real vulnerability (in emails, attached
PoCs) but no clear public reference exists? not assign a CVE?


Thank you,

Chandan

On Fri, Aug 20, 2021 at 9:13 AM Noble, Kathleen 
wrote:

> I was going to jump in and say I see this as less a social medial platform
> and more a Major Sports League. You want to play at the NBA you play by the
> NBA's rules. The rules can change over time, but it doesn’t make a lot of
> sense to change the game and remove the basket because a few potential
> players are anti-basket.
>
> I agree we table the issue.
>
> Katie Noble
> Director, Intel PSIRT and Bug Bounty
> 503-207-8783
> kathleen.no...@intel.com
> Keybase: katienoble
>
> -Original Message-
> From: Landfield, Kent (Enterprise) 
> Sent: Friday, August 20, 2021 10:19 AM
> To: Gazlay, Jay ; Manion, Art ;
> Chandan B.N. ; CVE Editorial Board
> Discussion 
> Subject: Re: public reference requirement
>
> +1
>
> Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!,
> Bedankt,Danke!, ありがとう, धन्यवाद!
> --
> Kent Landfield
> McAfee Enterprise
> +1.817.637.8026
> kent_landfi...@mcafee.com
>
>
> On 8/20/21, 5:42 AM, "Gazlay, Jay"  wrote:
>
> CAUTION: External email. Do not click links or open attachments unless
> you recognize the sender and know the content is safe.
>
> Art,
>
> I concur with your point and path forward.
>
> Cheers,
> Jay
>
> -Original Message-----
>     From: Art Manion 
> Sent: Thursday, August 19, 2021 9:47 PM
> To: Chandan B.N. ; CVE Editorial
> Board Discussion 
> Subject: Re: public reference requirement
>
> CAUTION: This email originated from outside of DHS. DO NOT click links
> or open attachments unless you recognize and/or trust the sender. Contact
> your component SOC with questions or concerns.
>
>
> On 2021-08-18 16:58, Chandan B.N. wrote:
> > This is no different than how Twitter users are seen as being
> responsible for their tweets and not Twitter Inc.,
>
> I was trying to not bring this up :)
>
> I'd say Twitter is much more of a platform with highly independent
> contributors than the CVE Program currently is.  Twitter might not be a
> common carrier ISP, but CVE is not a social media platform.
>
> The author needs to bear responsibility for errors or bad behavior and
> having only a CVE entry (today) is too much of a proxy.  Responsibility is
> arguably more important than the content.
>
> I think the program has moved and is moving towards being more
> "content neutral" -- the upcoming Services and potential ADP pilot are
> moves in that direction.  I'm confident we can sort out some of the content
> quality requirements, we need more CNA identity in place.
>
> I'll propose to table this for a year?
>
> Regards,
>
>   - Art
>
>

-- 
Sr Director, Product Security Assurance, Vulnerability Remediation, and
PSIRT
Palo Alto Networks https://security.paloaltonetworks.com/


RE: public reference requirement

2021-08-20 Thread Noble, Kathleen
I was going to jump in and say I see this as less a social medial platform and 
more a Major Sports League. You want to play at the NBA you play by the NBA's 
rules. The rules can change over time, but it doesn’t make a lot of sense to 
change the game and remove the basket because a few potential players are 
anti-basket. 

I agree we table the issue. 

Katie Noble 
Director, Intel PSIRT and Bug Bounty
503-207-8783
kathleen.no...@intel.com
Keybase: katienoble

-Original Message-
From: Landfield, Kent (Enterprise)  
Sent: Friday, August 20, 2021 10:19 AM
To: Gazlay, Jay ; Manion, Art ; 
Chandan B.N. ; CVE Editorial Board 
Discussion 
Subject: Re: public reference requirement

+1

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
-- 
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com
 

On 8/20/21, 5:42 AM, "Gazlay, Jay"  wrote:

CAUTION: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.

Art,

I concur with your point and path forward.

Cheers,
Jay

-Original Message-
From: Art Manion  
Sent: Thursday, August 19, 2021 9:47 PM
To: Chandan B.N. ; CVE Editorial Board 
Discussion 
    Subject: Re: public reference requirement

CAUTION: This email originated from outside of DHS. DO NOT click links or 
open attachments unless you recognize and/or trust the sender. Contact your 
component SOC with questions or concerns.


On 2021-08-18 16:58, Chandan B.N. wrote:
> This is no different than how Twitter users are seen as being responsible 
for their tweets and not Twitter Inc.,

I was trying to not bring this up :)

I'd say Twitter is much more of a platform with highly independent 
contributors than the CVE Program currently is.  Twitter might not be a common 
carrier ISP, but CVE is not a social media platform.

The author needs to bear responsibility for errors or bad behavior and 
having only a CVE entry (today) is too much of a proxy.  Responsibility is 
arguably more important than the content.

I think the program has moved and is moving towards being more "content 
neutral" -- the upcoming Services and potential ADP pilot are moves in that 
direction.  I'm confident we can sort out some of the content quality 
requirements, we need more CNA identity in place.

I'll propose to table this for a year?

Regards,

  - Art



Re: public reference requirement

2021-08-20 Thread Landfield, Kent (Enterprise)
+1

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
-- 
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com
 

On 8/20/21, 5:42 AM, "Gazlay, Jay"  wrote:

CAUTION: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.

Art,

I concur with your point and path forward.

Cheers,
Jay

-Original Message-
From: Art Manion  
Sent: Thursday, August 19, 2021 9:47 PM
To: Chandan B.N. ; CVE Editorial Board 
Discussion 
    Subject: Re: public reference requirement

CAUTION: This email originated from outside of DHS. DO NOT click links or 
open attachments unless you recognize and/or trust the sender. Contact your 
component SOC with questions or concerns.


On 2021-08-18 16:58, Chandan B.N. wrote:
> This is no different than how Twitter users are seen as being responsible 
for their tweets and not Twitter Inc.,

I was trying to not bring this up :)

I'd say Twitter is much more of a platform with highly independent 
contributors than the CVE Program currently is.  Twitter might not be a common 
carrier ISP, but CVE is not a social media platform.

The author needs to bear responsibility for errors or bad behavior and 
having only a CVE entry (today) is too much of a proxy.  Responsibility is 
arguably more important than the content.

I think the program has moved and is moving towards being more "content 
neutral" -- the upcoming Services and potential ADP pilot are moves in that 
direction.  I'm confident we can sort out some of the content quality 
requirements, we need more CNA identity in place.

I'll propose to table this for a year?

Regards,

  - Art



RE: public reference requirement

2021-08-20 Thread Gazlay, Jay
Art,

I concur with your point and path forward.

Cheers,
Jay

-Original Message-
From: Art Manion  
Sent: Thursday, August 19, 2021 9:47 PM
To: Chandan B.N. ; CVE Editorial Board 
Discussion 
Subject: Re: public reference requirement

CAUTION: This email originated from outside of DHS. DO NOT click links or open 
attachments unless you recognize and/or trust the sender. Contact your 
component SOC with questions or concerns.


On 2021-08-18 16:58, Chandan B.N. wrote:
> This is no different than how Twitter users are seen as being responsible for 
> their tweets and not Twitter Inc.,

I was trying to not bring this up :)

I'd say Twitter is much more of a platform with highly independent contributors 
than the CVE Program currently is.  Twitter might not be a common carrier ISP, 
but CVE is not a social media platform.

The author needs to bear responsibility for errors or bad behavior and having 
only a CVE entry (today) is too much of a proxy.  Responsibility is arguably 
more important than the content.

I think the program has moved and is moving towards being more "content 
neutral" -- the upcoming Services and potential ADP pilot are moves in that 
direction.  I'm confident we can sort out some of the content quality 
requirements, we need more CNA identity in place.

I'll propose to table this for a year?

Regards,

  - Art


Re: public reference requirement

2021-08-19 Thread Art Manion

On 2021-08-18 16:58, Chandan B.N. wrote:

This is no different than how Twitter users are seen as being responsible for 
their tweets and not Twitter Inc.,


I was trying to not bring this up :)

I'd say Twitter is much more of a platform with highly independent contributors 
than the CVE Program currently is.  Twitter might not be a common carrier ISP, 
but CVE is not a social media platform.

The author needs to bear responsibility for errors or bad behavior and having 
only a CVE entry (today) is too much of a proxy.  Responsibility is arguably 
more important than the content.

I think the program has moved and is moving towards being more "content 
neutral" -- the upcoming Services and potential ADP pilot are moves in that 
direction.  I'm confident we can sort out some of the content quality requirements, we 
need more CNA identity in place.

I'll propose to table this for a year?

Regards,

 - Art


RE: public reference requirement

2021-08-18 Thread Waltermire, David A. (Fed)
Yes, although you could also say that as the entity publishing a vulnerability 
as a CVE record the CNA *is* making that claim themselves. This breaks down 
when we talk about a CNA-LR. One solution could be to allow CNAs to publish 
without a reference if they meet the higher record requirements, but require 
CNA-LRs to publish with a reference always. Both scenarios could mechanically 
validated by the CVE submission service.

Regards,
Dave

-Original Message-
From: Landfield, Kent (Enterprise)  
Sent: Wednesday, August 18, 2021 4:19 PM
To: Art Manion ; CVE Editorial Board Discussion 

Subject: Re: public reference requirement

Totally agree!

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
-- 
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com
 

On 8/18/21, 3:07 PM, "Art Manion"  wrote:

Towards the end of the discussion today, this came up:  Participants in 
these sorts of large/distributed systems (the CVE Program) *must* have some 
real responsibility, aka skin in the game.  So, the requirement to me is that 
the entity requesting or assigning or populating the CVE entry *must also be 
willing to make the same claim themselves.*  This can be a git commit, a vendor 
advisory, a researcher blog post.  More than the content, the fact that the 
claim is published by the CVE requester/assigner matters.

Otherwise the system allows participants to push responsibility on the 
program that the program doesn't own -- the program catalogs vulnerabilities, 
the program doesn't own (i.e., discover, create, fix) vulnerabilities.

  - Art




Re: public reference requirement

2021-08-18 Thread Landfield, Kent (Enterprise)
CVE is not twitter and the vulnerability management community does not rely on 
it. This is a silly analogy. Different purposes, different services, different 
goals.

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
--
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com<mailto:kent_landfi...@mcafee.com>


From: "Chandan B.N." 
Date: Wednesday, August 18, 2021 at 3:58 PM
To: CVE Editorial Board Discussion 
Subject: Re: public reference requirement


CAUTION: External email. Do not click links or open attachments unless you 
recognize the sender and know the content is safe.


Completely agree that the participants must own what they contribute to the CVE 
list.
That ownership/attribution should be clearly visible on the (new) CVE.org site.
Consumers of a poorly written (vague, unactionable) CVE entry should talk to 
the CNA and not blame the CVE Program or MITRE.

This is no different than how Twitter users are seen as being responsible for 
their tweets and not Twitter Inc.,
While a hyperlink in a tweet may increase a tweet's credibility, why would lack 
of one make a tweet not authoritative?

IMHO the reason services like Twitter have a lot of participation is because 
they do not require everyone to set up their own websites to be able to publish 
opinions (which was the case in the 1990s :-))
Thank you,
Chandan

On Wed, Aug 18, 2021 at 1:07 PM Art Manion 
mailto:aman...@cert.org>> wrote:

Towards the end of the discussion today, this came up:  Participants in these 
sorts of large/distributed systems (the CVE Program) *must* have some real 
responsibility, aka skin in the game.  So, the requirement to me is that the 
entity requesting or assigning or populating the CVE entry *must also be 
willing to make the same claim themselves.*  This can be a git commit, a vendor 
advisory, a researcher blog post.  More than the content, the fact that the 
claim is published by the CVE requester/assigner matters.

Otherwise the system allows participants to push responsibility on the program 
that the program doesn't own -- the program catalogs vulnerabilities, the 
program doesn't own (i.e., discover, create, fix) vulnerabilities.

  - Art


--
Sr Director, Product Security Assurance, Vulnerability Remediation, and PSIRT
Palo Alto Networks https://security.paloaltonetworks.com/


Re: public reference requirement

2021-08-18 Thread Chandan B.N.
Completely agree that the participants must own what they contribute to the
CVE list.
That ownership/attribution should be clearly visible on the (new) CVE.org
site.
Consumers of a poorly written (vague, unactionable) CVE entry should talk
to the CNA and not blame the CVE Program or MITRE.

This is no different than how Twitter users are seen as being responsible
for their tweets and not Twitter Inc.,
While a hyperlink in a tweet may increase a tweet's credibility, why would
lack of one make a tweet not authoritative?

IMHO the reason services like Twitter have a lot of participation is
because they do not require everyone to set up their own websites to be
able to publish opinions (which was the case in the 1990s :-))

Thank you,
Chandan

On Wed, Aug 18, 2021 at 1:07 PM Art Manion  wrote:

>
> Towards the end of the discussion today, this came up:  Participants in
> these sorts of large/distributed systems (the CVE Program) *must* have some
> real responsibility, aka skin in the game.  So, the requirement to me is
> that the entity requesting or assigning or populating the CVE entry *must
> also be willing to make the same claim themselves.*  This can be a git
> commit, a vendor advisory, a researcher blog post.  More than the content,
> the fact that the claim is published by the CVE requester/assigner matters.
>
> Otherwise the system allows participants to push responsibility on the
> program that the program doesn't own -- the program catalogs
> vulnerabilities, the program doesn't own (i.e., discover, create, fix)
> vulnerabilities.
>
>   - Art
>


-- 
Sr Director, Product Security Assurance, Vulnerability Remediation, and
PSIRT
Palo Alto Networks https://security.paloaltonetworks.com/


Re: public reference requirement

2021-08-18 Thread Landfield, Kent (Enterprise)
Totally agree!

Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, 
Bedankt,Danke!, ありがとう, धन्यवाद!
-- 
Kent Landfield
McAfee Enterprise
+1.817.637.8026
kent_landfi...@mcafee.com
 

On 8/18/21, 3:07 PM, "Art Manion"  wrote:

Towards the end of the discussion today, this came up:  Participants in 
these sorts of large/distributed systems (the CVE Program) *must* have some 
real responsibility, aka skin in the game.  So, the requirement to me is that 
the entity requesting or assigning or populating the CVE entry *must also be 
willing to make the same claim themselves.*  This can be a git commit, a vendor 
advisory, a researcher blog post.  More than the content, the fact that the 
claim is published by the CVE requester/assigner matters.

Otherwise the system allows participants to push responsibility on the 
program that the program doesn't own -- the program catalogs vulnerabilities, 
the program doesn't own (i.e., discover, create, fix) vulnerabilities.

  - Art