Slashdot Mirror

← Back to Stories (view on slashdot.org)

One Solution to MITRE's Overworked CVE System: Build a New One (helpnetsecurity.com)

Posted by timothy on from the hope-it's-built-with-merger-in-mind dept.

An anonymous reader writes: For the last 17 years, the American not-for-profit MITRE Corporation has been editing and maintaining the list of Common Vulnerabilities and Exposures (CVEs). According to a number of researchers, MITRE has lately been doing a lousy job when it comes to assigning these numbers, forcing researchers to do without them or to delay public disclosure of vulnerabilities indefinitely. The problem is getting worse by the day, and the situation has spurred Kurt Seifried, a "Red Hat Product Security Cloud guy" and a CVE Editorial Board member, to create a complementary system for numbering vulnerabilities.

3 of 47 comments (clear)

  1. Thanks by Anonymous Coward · · Score: 3, Insightful

    I was looking for a way to say this politely, but can you just can it with the systemd trolling? It has literally no connection to this proposal. This is some guy who happens to work at Red Hat. It shouldn't shock anyone that Red Hat employs a lot of people in the Linux and/or security worlds. He says right up front he is speaking on his own behalf and not that of Red Hat, and as far as I can tell he has jack-all to do with systemd development. There's even the possibility that he dislikes systemd as much as you do. I'd bet any amount of money that he would oppose your hypothetical systemd-CVE as a completely pointless increase in attack surface.

    Begone, troll. This is not the overreaching NIH syndrome you were looking for.

    1. Re:Thanks by Luthair · · Score: 2, Insightful

      If they stopped trolling they might have time to write the software they want that doesn't use systemd. Of course they don't want to do actual work, they want someone else to do it for them.

  2. Re:Redhat = embrace, extend by Luthair · · Score: 3, Insightful

    So in the interests of full disclosure and transparency I (Kurt Seifried) am writing this email as an individual and member of the DWF System, and not as an employee of Red Hat. Please note that although I have a day job at Red Hat I also (like many information security people) work on other projects in my personal life, either because they are not work related, or because it's simply not appropriate to work on the project as part of my day job (in this case it's less about Red Hat, and more about the fact that as a Red Hat Employee I am a member of the CVE Editorial Board).

    Seems clear RedHat has nothing to do with this