Re: why many CVEs are ** RESERVED ** on Mitre

[Kurt Seifried <kseifried () redhat com>]

On Wed, Dec 14, 2016 at 7:36 AM, Sevan Janiyan <venture37 () geeklan co uk>
wrote:

> Hello,
>
> On 14/12/2016 14:24, Kurt Seifried wrote:
> > ** RESERVED ** This candidate has been reserved by an organization
> > or individual that will use it when announcing a new security problem.
> > When the candidate has been publicized, the details for this
> > candidate will be provided.
> >
> > This means that the entry number has been reserved by Mitre for an issue
> or
> > a CNA has reserved the number. So in the case where a CNA requests a
> block
> > of CVE numbers in advance (e.g. Red Hat currently requests CVEs in blocks
> > of 500), the CVE number will be marked as reserved even though the CVE
> > itself may not be assigned by the CNA for some time. Until the CVE is
> > assigned AND Mitre is made aware of it (e.g. the embargo passes and the
> > issue is made public), AND Mitre has researched the issue and written a
> > description of it, entries will show up as "** RESERVED **".
>
> This creates a situation where the Mitre site dose not provide any
> information despite, marking the CVE as reserved despite an official
> advisory for effected software referencing the CVE.

So? Also this isn't really the appropriate place for this discussion and
this will be my last reply to this thread.


> Somewhat frustrating when performing vulnerability management as the
> mitre URL is self documenting but useless to reference as a source.

I would suggest you consider getting involved in helping create CVEs if it
is such an important resource, rather then just being a somewhat classic
"Free rider"

https://en.wikipedia.org/wiki/Free_rider_problem



> Sevan



-- 

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert () redhat com