[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Broken References

I’m ok with either.  In general, I have not found Wayback Machine to be especially useful for security research, because of their site performance, and their failure to archive the target site.   


The important thing here is simply to ensure that the reference never be completely removed.





From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Coffin, Chris
Sent: Tuesday, October 31, 2017 2:05 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE Broken References


CAUTION: This email originated from outside of CA. Do not click links or open attachments unless you recognize the sender and know the content is safe.



In continuation of the Board call discussion regarding broken references, the CVE team created a few examples of how we might deal with broken CVE references in the future. One problem that we were recently pointed to is where a reference domain was reused by another organization entirely. In these cases, we may want to modify the CVE reference when we become aware of this.


A couple of points to keep in mind:

  • The examples here are specific to the CVE list on the web site only and not the CVE list downloads (e.g., CSV, XML, etc.).
  • If we can automate the process and the pages are likely to have been archived, it would probably be useful to point folks to something like the Wayback Machine.
  • It appears that some of the older references/domains currently referenced are not archived. For these we could just automatically update based on example #1 below (or something else if there are other better ideas)
  • We should probably make it clear when this situation exists, especially when we are including an archive reference (see the options below).
  • Including the Wayback Machine links would not always be a guarantee a useful archive of the reference would be available, just that we think it would be reasonably likely for the associated domain. Similarly, just because we did include a Wayback Machine link wouldn't mean the reference won’t be archived there, only that we didn’t think it was likely to be.
  • We are not intending to perform proactive reference maintenance. The examples here apply to cases where an entire domain has been removed and we are made aware of it. We could also do this in one off situations where it seems appropriate.


Example #1 – Remove hyperlink for broken references (see example1.jpg)

In this example, we simply remove the hyperlink and mark the reference URL in some way that makes it clear it is no longer functioning. We could do this automatically for domains that we know are no longer existing. The point here is that the previous reference url does have some value for folks who are trying to track something down and removing it entirely would hinder this ability. What we are doing is just keeping the casual user of the CVE web site list from clicking on the link.


Example #2 – Add archived calendar URL (see example2.jpg)

In the second example, we have included a case where we feel there’s a good likelihood people can find the page archived by following the link. The text in parenthesis would be hyperlinked to a calendar showing when the page appears to have been archived. In the case of the Wayback Machine, it appears that creating this url is automatable. As mentioned above in the points, I don’t believe it would be a good idea to just change the url to point to something else. We would want to make it clear when the reference is broken, but also include the archived reference in a form such as this.


What are folks thoughts on these examples? Other options?





Page Last Updated or Reviewed: November 01, 2017