Re: Open Letter on the Interpretation of "Vulnerability Statistics"

["Steven M. Christey" <coley () mitre org>]

Florian Weimer said:

> > Unless things have changed since I went through the process, the
> > authority involved does not extend to Debian in general but only to
> > specific individuals.
>
> Certainly, at Debian, only certain individuals issue CVEs. I can't
> tell if this is Debian's choice, or a result of MITRE's rules.

Like some other aspects of CVE, there is a distinct lack of
distinction between individuals and organizations.  In the case of
these Candidate Numbering Authorities (CNAs), a specific individual at
the CNA goes through some period of training to ensure that he/she
learns how to assign the proper number of identifiers in accordance
with CVE's content decisions.  Usually this training is for a specific
individual of the organization.  But as long as the CNA collectively
follows CVE's content decisions when it assigns identifiers, how it
"implements" those actions is not within CVE's purview.  For example,
Red Hat and CERT are two other organizations that have multiple people
assigning CVE identifiers.

- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/