On Fri, Sep 16, 2005 at 02:29:23PM +0200, Florian Weimer wrote: > * Andres Salomon: > > > How can you tell? The mitre description is absolutely useless. I > > fucking hate this stupid vendor-sec/mitre non-disclosure policy, > > In most cases, MITRE does not have access to pre-disclosure > information. They just hand out unique names, and update the database > based on public data afterwards. However, it is true that they demand > that CNAs (who can assign CANs) "must follow responsible disclosure > practices that are accepted by a significant portion of the security > community" -- whatever this means. Of course, you still receive a CAN > assignment no matter how you disclose a vulnerability. > > That being said, it's not the job of MITRE to explain the nature of > vulnerabilities if upstream fails us. The CVE database only reflects > what the vendors (or other respected data sources) publish. MITRE > certainly does not mandate researchers or CNAs to keep issues secret.
Unfortunately, in the case or kernel bugs, that disclosure is often not happenening in a useful way. This does greatly lessen the value of the CAN numbers as a way to refer to bug, because frankly it is far too often that it is hard to tell which bug/fix the CAN refers to. -- Horms -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
