-
Notifications
You must be signed in to change notification settings - Fork 26
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify that CVE IDs can be assigned to vulnerabilities that are already public #32
Comments
define public, e.g. what if it is shared within an industry (e.g. aerospace)? does it need to go to oss-secrity? etc. |
Here is what I have in my training presentation for what public is:
|
does this mean free sign up, or can it be tied to something that may not cost money but may be a pain to sign up for (e.g. they only allow signup using a facebook account). |
If anyone anywhere has the ability to get to the information without paying money, the resource would be acceptable. |
I would generally agree but there are a few corner cases where the signup process is so onerous (e.g. you have to log into an IRC channel, wait for someone to be around, and ask them for an account on the bug tracker, and no this isn't a made up case, this is a real world case) that nobody can be bothered to do it. This is also one of the reasons I want to embed a copy of the data into the CVE JSON data (so if it goes away or is hard to get at there's the data in CVE JSON at least, even if out of date it's better than nothing). |
Suggestion: change INC2 to read: Is the vulnerability report or the issue described currently published publicly or intended to be published to a publicly available location in the future? CVE IDs are intended to be public information and are not assigned to vulnerabilities that are intended to be private. See Section 2.1 for a description of what is considered “public”. |
GOAL: Document existing policy
CHANGE: INC2 should be changed to clarify that the vulnerabilities that are already public can be assigned a CVE ID.
OUTCOME: Reduced confusion.
The text was updated successfully, but these errors were encountered: