Home page logo

oss-sec logo oss-sec mailing list archives

Re: CVE id assignment dates
From: "Steven M. Christey" <coley () rcf-smtp mitre org>
Date: Mon, 23 Jan 2012 15:04:25 -0500 (EST)


This misconception is, unfortunately, all too common. I will look into ways of changing it on the CVE web site.

The Assigned date, strictly defined, is the date on which the specific CVE *number* was first created and "committed" to the CVE database. There is no guaranteed relationship between the public disclosure date and the Assigned date.

When a CNA receives a pool of numbers, the Assigned date is when that pool was created by MITRE. A CNA pool is just a list of CVE numbers that aren't even associated with a specific vulnerability.

When MITRE reserves a CVE candidate for an independent, non-CNA party, the "Assigned" date reflects the day that we reserved the candidate - which is sometimes before the issue is published, and sometimes even before the vendor is notified.

In other cases, MITRE independently assigns new CVEs for already-disclosed vulnerabilities, and the Assigned date reflects when we created those CVEs. In this case, the Assigned date can be AFTER the original disclosure date.

We do not publish any dates related to disclosure, patch, or vendor notification; interested parties can consult other databases that explicitly track this information, such as OSVDB.

- Steve

On Mon, 23 Jan 2012, Solar Designer wrote:


It appears that many people are confused by and concerned about the
"Assigned" dates on CVE ids, not being aware that these dates often (or
even all the time?) merely reflect the assignment of a CVE id pool to a
CNA, normally before the actual vulnerabilities are discovered.

For example, CVE-2012-0056 shows "Assigned (20111207)" - so someone
wrongly thought that this meant that kernel developers or whoever sat on
this bug for 1.5 months.

I think cve.mitre.org web pages need to provide an explanation right
next to these dates or not show the dates.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]