|
|
|||
|
|
|
|||
On 08/25/2016 12:10 PM, Kurt Seifried wrote:
> INC4: can we better define public/private? E.g. what if a medical device>> maker plans to use a CVE for an issue that they will then inform ever user >> of directly? Ditto for aerospace/SCADA/etc. >>> > I'm not sure I understand what you would like to have happen. Limited > diffusion? As a customer, I'd be confused to receive a notice referring to > a CVE I couldn't lookup on a public web site, if that's what you meant. If > you meant embargoed issues, doesn't the CVE do that already? > >So Red Hat has 1000+ CVEs we've assigned and are not in the MITRE database. So that bridge has already been crossed. Also I'm assuming the CVE's will be available in the vendor database/website, e.g.: https://cve.org/CVERecord?id=CVE-2002-2438 We have a page with limited info (mostly because we're not affected =) https://access.redhat.com/security/cve/cve-2002-2438 A CVE being in the MITRE or any public database is certainly nice to have, especially for high profile issues, but I wouldn't make it a requirement.
The example you give does have public information at http://www.kb.cert.org/vuls/id/464113 , so even though it's deplorable that the NVD, CVE and RedHat web sites don't have any information or even a link to that, I'm not distressed.
However, I'm disappointed by the implication, if true, that many of these 1000+ CVEs could all be "RESERVED" with no public explanation anywhere and with no intent to make them public at any point in the future. What was the point of using the CVE then? If there was a need for secrecy, I believe there should be some form of disclosure after some time. Think of it as declassification, which is of particular interest to historians and academics.
Pascal
