RE: Initial Guidance on Linux Issues
> Independent of the question of feasibility, is it required that there be
> CVE ids associated with all packages that are distributed by a
> commercially supported Linux distribution? Or, is there a smaller
> sub-set of package for which we need full coverage while still allowing
> partial coverage of the others?
Our (Red Hat) processes and procedures require that every vulnerability is
given a CVE name. We use CVE as our primary key in a number of situations
including our bug database and CVE database as well as for internal
tracking of issues, instead of using any other unique identifier. In fact
we want it to be an exception where we have to later fix a published
advisory to change or add a CVE name too it (usually only done where Mitre
subsequently split a CVE or due to closed source distribution). We did
this deliberately because when we started using CVE it wasn't very
widespread and we wanted to promote and evangelise it and get other
distros to use it.
If it was to be determined that not every vulnerability we fix (across Red
Hat as a whole, not just Enterprise Linux) would get a CVE name we would
have to switch to using another unique identifier (with significant
retooling efforts) and it's likely our mapping to CVE would really suffer
(i.e. it's likely we wouldn't have CVE mappings at all in our published
advisories as they are unlikely to have been allocated at the time we push
them). We may even end up sharding those new unique identifiers with
other Linux vendors, and then we end up with a almost-CVE identifier from
a different organisation, and that's my worst nightmare.
This is why I was answering your question with solutions, because I can't
imagine a situation where CVE has partial coverage of the vulnerabilities
we deal with and still remaining a relevant and useful tool.