[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: DWF Open Source CNA requirements:

On Mon, Nov 7, 2016 at 7:54 AM, Art Manion <amanion@cert.org> wrote:
On 2016-11-06 16:03, Kurt Seifried wrote:

> 4. What software specifically will you be assigning CVEs for (this can
> be everything you ship, or a limited subset, either way the DWF will
> require a list of names at a minimum, ideally with URLs to the software)

Is something general allowed, e.g., non-vendor CNAs that might have
broad/not-known-in-advance coverage?

Right now I want to focus on the process for "Easy" CNAs, the problem with researchers I plan to discuss tuesday/wednesday so we can figure out a framework that will hopefully prevent problems/abuse.
> 5. You must provide a public method (e.g. no login required) for
> published CVEs (e.g. product ChangeLog or a security page with a list of
> CVEs and minimum information as specified in the CNA Rules)

As soon as it's worked out, publication must be in the standard minimum
CVE format and published using the standard transport.

> 10. Once a CVE is made public (e.g. you have fixed the issue) you must
> tell the DWF within 24 hours (by pull request to the
> DWF-Database-Artifacts at a minimum, and optionally the DWF-Database as
> well) using the minimum DWF-Database-Artifact specification currently in
> use
> (https://github.com/distributedweaknessfiling/DWF-Database-Artifacts/blob/master/JSON-file-format-CURRENT.md)

Is performing #10 not the same as #5?

No, I want them to also maintain a security page/changelog at a minimum. People using software from a CNA shouldn't have to watch the DWF/MITRE for notification of CVEs, the CNA should also be publishing them. 

 - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: November 08, 2016