> That's right, there is no, or should not be any, morality whatsoever attached to assigning a CVE identifier. If we were to accept morality in the operation of this mechanism, next some CNA will be denying CVEs to software companies they don't like, for contentious reasons. Morality considerations would destroy the CVE program.
>
> Pascal
>
>
> On Mon, 25 Jan 2021 16:01:37 -0600
> Ken Williams <> wrote:
>
>> Suggesting that we would be "making malware better" is both incorrect and
>> very inappropriate. We're talking about vulnerabilities that are *already
>> public*, and we're simply assigning an identifier to them so everybody can
>> be sure they are talking about the same vulnerability/issue/malware.
>>
>> Do we want to blame the Library of Congress for simply assigning an LCCN to
>> "To Kill a Mockingbird" or "1984"?
>>
>> Regards,
>> Ken
>>
>> On Mon, Jan 25, 2021 at 3:48 PM Noble, Kathleen <>
>> wrote:
>>
>>>
>>> Can we either have a subject matter expert informed conversation
>>> i.e. we invite outside SMEs to provide insight and expertise on this
>>> subject rather than just us talking about it over and over again or Can we
>>> just take a vote on this issue?
>>>
>>> I am strongly of the opinion that I am not about making malware
>>> better, I am about assigning CVEs for vulnerabilities in legitimate
>>> software and hardware.
>>>
>>> Katie Noble
>>> Director, Intel PSIRT and Bug Bounty
>>> 503-207-8783
>>>
>>> Keybase: katienoble
>>>
>>> -----Original Message-----
>>> From: Pascal Meunier <>
>>> Sent: Monday, January 25, 2021 2:51 PM
>>> To: Chris Levendis <>
>>> Cc: Manion, Art <>; Seifried, Kurt <>;
>>> Waltermire, David <>; CVE Editorial Board
>>> Discussion <>
>>> Subject: Re: CVE IDs for malware
>>>
>>> We can't afford to arbitrate what is malware and what is not for three
>>> major reasons. One is that it's a trap or potential quagmire if you
>>> prefer, that could quickly get expensive in all sorts of bad ways. Second,
>>> there has been "malware" forcibly installed by a major corporation on their
>>> customers' PCs, and any vulnerability created by it would be of great
>>> public interest and in legitimate need of a CVE. Third, there's nothing to
>>> be gained by the program by denying a CVE to someone who wants to use one,
>>> for any publicly known vulnerability.
>>>
>>> Just assign a CVE to the vulnerability in any software of interest and be
>>> done, don't get dirty and bogged down.
>>>
>>> Pascal
>>>
>>> On Mon, 25 Jan 2021 19:24:20 +0000
>>> Chris Levendis <> wrote:
>>>
>>>> Based on my recollection, you are remembering this correctly Dave.
>>> However, no vote was held and I'm unsure as to how many Board members agree
>>> with this position. I agree with the position that we assign for malware
>>> unless there is a good argument against doing so.
>>>>
>>>> C
>>>>
>>>> Get Outlook for
>>>> iOS<
https://urldefense.com/v3/__https://aka.ms/o0ukef__;!!Mih3wA!Wn2U4
>>>> 33Yjzxedr-Yvtj7dT1KRi-ToINmlqkQw_h-hQR_N9c3Tvo3smT1sRHtido$ >
>>>> ________________________________
>>>> From: Waltermire, David A. (Fed) <>
>>>> Sent: Monday, January 25, 2021 1:51:39 PM
>>>> To: Manion, Art <>; Seifried, Kurt <>
>>>> Cc: CVE Editorial Board Discussion
>>>> <>
>>>> Subject: RE: CVE IDs for malware
>>>>
>>>> I believe we left this with the CVE program choosing not to decide what
>>> is "mal" and what is not. This means that if there is a valid request to
>>> assign a CVE to software in general, the CVE program would support it
>>> either through CNA-based assignment or through a CNA of last resort.
>>>>
>>>> Am I remembering this correctly?
>>>>
>>>> Dave
>>>>
>>>> -----Original Message-----
>>>> From: Art Manion <>
>>>> Sent: Friday, January 22, 2021 10:52 AM
>>>> To: Kurt Seifried <>
>>>> Cc: CVE Editorial Board Discussion
>>>> <>
>>>> Subject: Re: CVE IDs for malware
>>>>
>>>>
>>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outlook
>>>> .com/?url=https*3A*2F*2Fmalvuln.com*2F*23about&data=04*7C01*7Cdavi
>>>> d.waltermire*40nist.gov*7C666e475dc9044a4be8ba08d8beedbaa3*7C2ab5d82fd
>>>> 8fa4797a93e054655c61dec*7C1*7C0*7C637469275556962138*7CUnknown*7CTWFpb
>>>> GZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0
>>>> *3D*7C1000&sdata=FIIvJZ9LSGIfUsqQtHhnWP7wLqz0zWBUh6iWVJgew7Q*3D&am
>>>> p;reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUl!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT
>>>> 1KRi-ToINmlqkQw_h-hQR_N9c3Tvo3smT1xnVEgrM$
>>>>
>>>> While not a priority, it should IMO be possible to assign CVE IDs to
>>> vulnerabilities in any software, including "malware." Remember, the "mal"
>>> prefix can be a matter of perspective.
>>>>
>>>> - Art
>>>>
>>>>
>>>> On 2020-08-17 14:54, Art Manion wrote:
>>>>>
>>>>> My recollection, real or imagined, is that it just wasn't a strong use
>>> case among CVE consumers. I don't recall if there were active reasons
>>> against, like possibly aiding malware developers/users.
>>>>>
>>>>> I think it's good for the CVE Project be separate from any
>>> pre-public-disclosure issues (embargo length, coordination issues,
>>> malware/goodware, vulnerability equities, etc). When a vulnerability
>>> becomes public, it gets a CVE ID, what happens before or after the CVE ID
>>> issuance is other peoples' problems.
>>>>>
>>>>> Pretty sure CVE documentation prefers/recommends/suggests coordinated
>>> vulnerability disclosure, but does not require it.
>>>>>
>>>>> - Art
>>>>>
>>>>>
>>>>> On 2020-08-17 14:48, Kurt Seifried wrote:
>>>>>> My question would be "Why are we not doing CVEs for malware?" What
>>> was the reason for this decision (do we have it documented or is it lost in
>>> the ages of time?).
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Mon, Aug 17, 2020 at 11:58 AM Art Manion <
>>> <mailto:>> wrote:
>>>>>>
>>>>>> Two threads based on this story:
>>>>>>
>>>>>>
>>>>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outl
>>>>>> ook.com/?url=https*3A*2F*2Fwww.zdnet.com*2Farticle*2Ffor-six-months
>>>>>> -security-researchers-have-secretly-distributed-an-emotet-vaccine-a
>>>>>> cross-the-world*2F&data=04*7C01*7Cdavid.waltermire*40nist.gov*7
>>>>>> C666e475dc9044a4be8ba08d8beedbaa3*7C2ab5d82fd8fa4797a93e054655c61de
>>>>>> c*7C1*7C0*7C637469275556962138*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4w
>>>>>> LjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&s
>>>>>> data=9PddX0yPeVZOHgbAuBFzAbXmJFxAlISd7Sy6X*2FqWa7U*3D&reserved=
>>>>>> 0__;JSUlJSUlJSUlJSUlJSUlJSUlJSU!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT1KRi-
>>>>>> ToINmlqkQw_h-hQR_N9c3Tvo3smT1PkHN0Rc$
>>>>>>
>>>>>>
>>>>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outl
>>>>>> ook.com/?url=https*3A*2F*2Fzdnet1.cbsistatic.com*2Fhub*2Fi*2F2020*2
>>>>>> F08*2F14*2Fe3a34948-ef00-496f-893c-709f8f748899*2Femotet-trolling.p
>>>>>> ng&data=04*7C01*7Cdavid.waltermire*40nist.gov*7C666e475dc9044a4
>>>>>> be8ba08d8beedbaa3*7C2ab5d82fd8fa4797a93e054655c61dec*7C1*7C0*7C6374
>>>>>> 69275556962138*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoi
>>>>>> V2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=tTPzRmQaJE5
>>>>>> tW27wa*2F9YQVC5x9*2Fug0I6np5JWU2cFVc*3D&reserved=0__;JSUlJSUlJS
>>>>>> UlJSUlJSUlJSUlJSUlJSUlJQ!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT1KRi-ToINmlq
>>>>>> kQw_h-hQR_N9c3Tvo3smT1K12sXT8$
>>>>>>
>>>>>> 1. My opinion is that CVE identifies vulns, period. CVE should
>>> be agnostic about the type or use of the software. E.g., one person's
>>> lawful intercept software is someone else's malware, and the CVE Project
>>> should not be delving into the relative attacker/defender perspective. I
>>> don't consider this a high priority work item for the Project.
>>>>>>
>>>>>> 2. I believe the assignment rules have changed, as part of the
>>> recent CNA rules update. The screen shot in the ZDNet story mentions INC4
>>> which I believe is deprecated?
>>>>>>
>>>>>> Current rules do not mention INC4 or malware:
>>>>>>
>>>>>>
>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fcve.mitre.org*2Fcve*2Fcna*2Frules.html*23section_7_assignment_rules&data=04*7C01*7Cdavid.waltermire*40nist.gov*7C666e475dc9044a4be8ba08d8beedbaa3*7C2ab5d82fd8fa4797a93e054655c61dec*7C1*7C0*7C637469275556972098*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=5WwZU*2FdM1FNq2MxKqXrIGU0krHtsAGtsXDVubWc6T*2BY*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT1KRi-ToINmlqkQw_h-hQR_N9c3Tvo3smT1tzfl1ck$
>>>>>>
>>>>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outl
>>>>>> ook.com/?url=https*3A*2F*2Fcve.mitre.org*2Fcve*2Fcna*2FCNA_Rules_v3
>>>>>> .0.pdf&data=04*7C01*7Cdavid.waltermire*40nist.gov*7C666e475dc90
>>>>>> 44a4be8ba08d8beedbaa3*7C2ab5d82fd8fa4797a93e054655c61dec*7C1*7C0*7C
>>>>>> 637469275556972098*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
>>>>>> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=Oltw2nd
>>>>>> GBzF6z9DsZDhXAyJlK4v8QfQRku9Kj1L*2FaHw*3D&reserved=0__;JSUlJSUl
>>>>>> JSUlJSUlJSUlJSUlJSU!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT1KRi-ToINmlqkQw_h
>>>>>> -hQR_N9c3Tvo3smT16NmIskU$
>>>>>>
>>>>>> Deprecated rules, but still published, do mention INC4 and
>>> malware:
>>>>>>
>>>>>>
>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outlook.com/?url=https*3A*2F*2Fcve.mitre.org*2Fcve*2Feditorial_policies*2Fcounting_rules.html&data=04*7C01*7Cdavid.waltermire*40nist.gov*7C666e475dc9044a4be8ba08d8beedbaa3*7C2ab5d82fd8fa4797a93e054655c61dec*7C1*7C0*7C637469275556972098*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=IjIruocFwjWhHehtJVRXZfq8Xr5e9gHfmFWyIZyZnwM*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJQ!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT1KRi-ToINmlqkQw_h-hQR_N9c3Tvo3smT1-1BdQp0$
>>>>>>
>>>>>>
https://urldefense.com/v3/__https://gcc02.safelinks.protection.outl
>>>>>> ook.com/?url=https*3A*2F*2Fcve.mitre.org*2Fcve*2Fcna*2FCNA_Rules_v1
>>>>>> .1.pdf&data=04*7C01*7Cdavid.waltermire*40nist.gov*7C666e475dc90
>>>>>> 44a4be8ba08d8beedbaa3*7C2ab5d82fd8fa4797a93e054655c61dec*7C1*7C0*7C
>>>>>> 637469275556972098*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
>>>>>> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C1000&sdata=Rg*2F*2
>>>>>> FiLOxonJWJUrAD*2BaTnHvoOenUV6iCIa96Z9oVWnA*3D&reserved=0__;JSUl
>>>>>> JSUlJSUlJSUlJSUlJSUlJSUlJQ!!Mih3wA!Wn2U433Yjzxedr-Yvtj7dT1KRi-ToINm
>>>>>> lqkQw_h-hQR_N9c3Tvo3smT1VX5SQyc$
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> - Art
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Kurt Seifried
>>>>>> <mailto:>
>>>>>
>>>>
>>>
>>>
>>
>