CVE is not twitter and the vulnerability management community does not rely on it. This is a silly analogy. Different purposes, different services, different goals.
Thank you, Gracias, Grazie, Mahalo, 谢谢, Merci!, Σας ευχαριστώ!, Спасибо!, Bedankt,Danke!, ありがとう, धन्यवाद! -- Kent Landfield McAfee Enterprise +1.817.637.8026 kent_landfi...@mcafee.com<mailto:kent_landfi...@mcafee.com> From: "Chandan B.N." <cnandakum...@paloaltonetworks.com> Date: Wednesday, August 18, 2021 at 3:58 PM To: CVE Editorial Board Discussion <cve-editorial-board-list@mitre.org> Subject: Re: public reference requirement CAUTION: External email. Do not click links or open attachments unless you recognize the sender and know the content is safe. ________________________________ Completely agree that the participants must own what they contribute to the CVE list. That ownership/attribution should be clearly visible on the (new) CVE.org site. Consumers of a poorly written (vague, unactionable) CVE entry should talk to the CNA and not blame the CVE Program or MITRE. This is no different than how Twitter users are seen as being responsible for their tweets and not Twitter Inc., While a hyperlink in a tweet may increase a tweet's credibility, why would lack of one make a tweet not authoritative? IMHO the reason services like Twitter have a lot of participation is because they do not require everyone to set up their own websites to be able to publish opinions (which was the case in the 1990s :-)) Thank you, Chandan On Wed, Aug 18, 2021 at 1:07 PM Art Manion <aman...@cert.org<mailto:aman...@cert.org>> wrote: Towards the end of the discussion today, this came up: Participants in these sorts of large/distributed systems (the CVE Program) *must* have some real responsibility, aka skin in the game. So, the requirement to me is that the entity requesting or assigning or populating the CVE entry *must also be willing to make the same claim themselves.* This can be a git commit, a vendor advisory, a researcher blog post. More than the content, the fact that the claim is published by the CVE requester/assigner matters. Otherwise the system allows participants to push responsibility on the program that the program doesn't own -- the program catalogs vulnerabilities, the program doesn't own (i.e., discover, create, fix) vulnerabilities. - Art -- Sr Director, Product Security Assurance, Vulnerability Remediation, and PSIRT Palo Alto Networks https://security.paloaltonetworks.com/
