Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Re: Contributing Back

Related Vulnerabilities: CVE-2020-8177  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Re: Contributing Back

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Solar Designer &lt;solar () openwall com&gt;

Date: Thu, 23 Jul 2020 13:56:45 +0200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
On Thu, Jul 23, 2020 at 01:51:17PM +0530, Mohammad Tausif Siddiqui wrote:
I think the ball is on the CNA: Hackerone side to get it published to
MITRE, so that they can show it up on their page.

CNAs are provided with weekly reports by the root CNA: MITRE, which lists
Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whether
the CVE was assigned on distros list or elsewhere. That closes the reminder
loop.

There's no pull request for CVE-2020-8177 at
https://github.com/CVEProject/cvelist/pulls
We cannot determine if they used the alternative, web form:
https://cveform.mitre.org/

You may want to reach Hackerone from the CNA contacts
&lt;https://cve.mitre.org/cve/request_id.html#cna_participants&gt;, for this
exception of delay.

Most of the above is once again too specific to the given CVE ID,
whereas we need a general understanding of whether the task Xiao
proposes and volunteers for is worthwhile or not.  I'd appreciate a
direct answer to that.

Do I interpret this paragraph correctly as implying the answer is no? -

CNAs are provided with weekly reports by the root CNA: MITRE, which lists
Reserved But Public "RBP" CVEs owned by that CNA, irrespective of whether
the CVE was assigned on distros list or elsewhere. That closes the reminder
loop.

In other words, CNAs receive their reminders from MITRE weekly, so
there's no need for anyone else reminding them, correct?  However, can
it happen that MITRE wouldn't recognize a CVE ID as "Reserved But
Public", continuing to treat it as merely reserved, in which case there
would be no reminder to correct that?  Could Xiao help with this?

Alexander

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Contributing Back Zhang Xiao (Jul 02)

Re: Contributing Back Francis Perron (Jul 02)

Re: Contributing Back Daniel Stenberg (Jul 02)

Re: Contributing Back Zhang Xiao (Jul 02)

Re: Contributing Back Solar Designer (Jul 11)

Re: Contributing Back Zhang Xiao (Jul 13)

Re: Contributing Back Solar Designer (Jul 20)
Re: Contributing Back Mohammad Tausif Siddiqui (Jul 23)
Re: Contributing Back Zhang Xiao (Jul 23)

Re: Contributing Back Solar Designer (Jul 23)
Re: Contributing Back Zhang Xiao (Jul 28)

&lt;Possible follow-ups&gt;
Re: Contributing Back Solar Designer (Sep 03)

Re: Contributing Back Seth Arnold (Sep 03)

Re: Contributing Back Vincent Batts (Sep 09)

 

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started