|
|
|
|
|
|
by lifthrasiir
861 days ago
|
|
|
CVE numbers are nothing more than identifiers for Common Vulnerabilities and Exposures of all sorts and all severities, so they theoretically do not require any kind of vendor confirmations. However in the reality CVE numbers are seen as some sort of absolute indication of unsafety---which is hardly true---to both security researchers and vendors. So we have two opposite problems now: 1. Security researchers are gaming the CVE system to get more CVE numbers in their portfolio, resulting in frustrated vendors. This is why curl and Linux Kernel went for being CVE numbering authority (CNA) but... 2. Vendors are also trying to reduce the number of CVE numbers assigned for their products, and while not every vendor CNA is that hostile, some do become CNA solely for this purpose. I believe we should deemphasize the impact of CVE numbers to solve both problems. They should be just identifiers for researchers and users and should not necessarily convey any sort of insecurity---otherwise you will end up with hostile vendors. We can't change the reputation of current CVE numbers however, so I proposed a "provisional" CVE number that hopefully do not convey the same reputation. Hostile vendors can prevent any new (confirmed) CVE number to be assigned, but that's not very much different from today. But we can forbid them from preventing new provisional CVE number to be assigned, assuming an appropriate process update. So we still retain a reliable identifier for CVEs; they can possibly be provisional however. |
|
|