noone should ever be able to file a CVE without the product owner having a say in this.
filing a CVE should always include the party that is responsible for the vulnerability with proper checks and balances.
the current process allows accusing someone without the accused having any ability to defend themselves. it was created with the expectations that only security experts who know what they are doing will file CVEs. that expectation has not held.
this is pretty much why linus torvalds refused to announce when they fix security issues in the linux kernel.
> noone should ever be able to file a CVE without the product owner having a say in this.
That's a really stupid idea. CVEs track security vulnerabilities, not 'security vulnerabilities the product owner is prepared to admit to'.
Imagine if Cisco decided they were going to be the CNA for Cisco devices just weren't going to issue any CVEs for any vulnerabilities in any Cisco devices, regardless of whether they're exploited or not.
"No CVEs will be assigned for unfixed security issues in the Linux
kernel, assignment will only happen after a fix is available as it can
be properly tracked that way by the git commit id of the original fix."
Linus Torvalds: "A bug is a bug."
As a kernel developer of ATM driver, I couldn't careless if there is a bug, much less some public authority (t)outing my driver as buggy. They'll get fixed, unit-tested, and real-world live-tested for the next release.
This will be interesting, if another linux vendor assigns a CVE and upstream duplicates the older CVE usually takes presedence, and they need to mark it as a duplicate, more houskeeping than just assigning it when they know about it.
I'm glad the LK finally has come to this conclusion, I dont care if it ends up exploding and using a lot of CVE's..
Just in case anybody is wondering if this is significant...think about the implications of tens of thousands of CVE numbers being assigned for every stable kernel patch. There will have to be changes in the ways people are dealing with these.
em-bee|2 years ago
as i commented there: https://news.ycombinator.com/item?id=39054152
noone should ever be able to file a CVE without the product owner having a say in this.
filing a CVE should always include the party that is responsible for the vulnerability with proper checks and balances.
the current process allows accusing someone without the accused having any ability to defend themselves. it was created with the expectations that only security experts who know what they are doing will file CVEs. that expectation has not held.
this is pretty much why linus torvalds refused to announce when they fix security issues in the linux kernel.
philipwhiuk|2 years ago
That's a really stupid idea. CVEs track security vulnerabilities, not 'security vulnerabilities the product owner is prepared to admit to'.
Imagine if Cisco decided they were going to be the CNA for Cisco devices just weren't going to issue any CVEs for any vulnerabilities in any Cisco devices, regardless of whether they're exploited or not.
egberts1|2 years ago
Linus Torvalds: "A bug is a bug."
As a kernel developer of ATM driver, I couldn't careless if there is a bug, much less some public authority (t)outing my driver as buggy. They'll get fixed, unit-tested, and real-world live-tested for the next release.
philipwhiuk|2 years ago
Every unfixed security issue is now no longer assigned a CVE until it's fixed. That's even worse.
worthless-trash|2 years ago
I'm glad the LK finally has come to this conclusion, I dont care if it ends up exploding and using a lot of CVE's..
Good Work.
blibble|2 years ago
how about: CVF
corbet|2 years ago
philipwhiuk|2 years ago
peanut-walrus|2 years ago
Mature, you guys.