[Secure-testing-team] kernel update
horms at debian.org
Tue Sep 20 01:52:19 UTC 2005
On Fri, Sep 16, 2005 at 02:29:23PM +0200, Florian Weimer wrote:
> * Andres Salomon:
> > How can you tell? The mitre description is absolutely useless. I
> > fucking hate this stupid vendor-sec/mitre non-disclosure policy,
> In most cases, MITRE does not have access to pre-disclosure
> information. They just hand out unique names, and update the database
> based on public data afterwards. However, it is true that they demand
> that CNAs (who can assign CANs) "must follow responsible disclosure
> practices that are accepted by a significant portion of the security
> community" -- whatever this means. Of course, you still receive a CAN
> assignment no matter how you disclose a vulnerability.
> That being said, it's not the job of MITRE to explain the nature of
> vulnerabilities if upstream fails us. The CVE database only reflects
> what the vendors (or other respected data sources) publish. MITRE
> certainly does not mandate researchers or CNAs to keep issues secret.
Unfortunately, in the case or kernel bugs, that disclosure is often not
happenening in a useful way. This does greatly lessen the value of the
CAN numbers as a way to refer to bug, because frankly it is far too
often that it is hard to tell which bug/fix the CAN refers to.
More information about the Secure-testing-team