[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-CNA JSON Format Proposal

On 2017-03-27 23:37, Kurt Seifried wrote:
> The source container from V.3 of the JSON:
> "SOURCE": {
>       "DATA_VERSION": "3.0",
>       "DISCOVERED_BY": "string",
>       "DISCOVERED_WITH": "string",
>       "VERIFICATION": "string",
>       "CNA_CHAIN": [
>       "string initial CNA",
>       "string parent CNA",
>       "string root CNA"
>       ]
>       }
> So I think the problem for me at least is that "source" is an array 
> with
> a variety of source information things, not just a single thing per 
> se.

Here, source covers discoverer/finder and CNAs involved in the 

>     SOURCE: The organization or individual who reports the details of 
> a
>     vulnerability and is requesting a CVE ID. The SOURCE would report
>     the details and request the CVE ID though a CNA, or in some cases
>     may be the CNA themselves if found internally. Also, this would
>     match up with the discoverer of the vulnerability. ____

Here, "source" ~= "requester."

The source I'm advocating is a required reference to at least one,
original/canonical public URL.  This assumes public CVE entries are for
publicly disclosed vulnerabilities and we're OK requiring a public
reference URL.

 - Art

Page Last Updated or Reviewed: March 28, 2017