mailing list archives
Re: Strange CVE situation (at least one ID should come of this)
From: cve-assign () mitre org
Date: Fri, 2 Nov 2012 14:49:54 -0400 (EDT)
-----BEGIN PGP SIGNED MESSAGE-----
So if someone publishes an advisory stating "I have found a number of
security flaws in product X." Would that get the same sort of CVE ID?
CVE assignment at MITRE attempts to distinguish between "disclosures"
and "rumors" although admittedly this is not 100% successful. In the
specific case you mentioned, if there's no maintainer relationship
between "I" and "product X" and no other available context, then no
CVE is assigned.
More generally, there are various cases in which exactly the same
statement would have a different CVE assignment decision depending on
whether the statement came from a vendor or other software maintainer.
This has been mentioned here before; for example, see
CVE assignment team, MITRE CVE Numbering Authority
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (SunOS)
-----END PGP SIGNATURE-----
Re: Strange CVE situation (at least one ID should come of this) Raphael Geissert (Oct 30)
Re: Strange CVE situation (at least one ID should come of this) Kurt Seifried (Dec 04)
- Re: Strange CVE situation (at least one ID should come of this), (continued)