[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Current and future CVE states

On 5/3/17 3:36 PM, Kurt Seifried wrote:

> PUBLIC - currently covered by the minimum JSON format

Published by the appropriate CNA(s), fully public, known to the
master/MITRE list.  Implies RESERVED and ASSIGNED.

> REJECT - currently not covered by JSON format, needs specific sub 
> states?

Was ASSIGNED (and RESERVED) but has now been REJECTed.

> Reason: This candidate was withdrawn by its CNA.


> Reason:  This candidate is a reservation duplicate of CVE-2017-7466.
> Notes: All CVE users should reference CVE-2017-7466 instead of this
> candidate.

> DWF had these states for REJECT’ed CVEs:

>     SPLIT_TO [list of CVEs]
>     MERGED_TO [lCVE]
>     REJECT (classic, e.g. not a vuln)


These all seem useful.

> RESERVED - currently not covered by JSON format, needs specific sub 
> states?
>     RESERVED as part of CNA block, not used yet (do we want to 
> actually
>     list this uniquely?)
>     RESERVED as an actual CVE assignment that will become public (most
>     useful for MITRE “Retail” assignments?)

ASSIGNED: Assigned by a CNA to a vulnerability, but not public yet,
likely under embargo.  ASSIGNED implies RESERVED.

RESERVED: Reserved by a CNA for future assignment, but not ASSIGNED, and
not in the UNASSIGNED pool.

UNASSIGNED: Default state?  In the pool of infinite available IDs but
not in any other state?  Needed at all?

 - Art

Page Last Updated or Reviewed: May 09, 2017