Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update definitions #17

Closed
EvansJonathan opened this issue Jul 21, 2017 · 5 comments
Closed

Update definitions #17

EvansJonathan opened this issue Jul 21, 2017 · 5 comments

Comments

@EvansJonathan
Copy link
Contributor

GOAL: Clarify existing language.
CHANGE:
Clarify the difference between "when a vulnerability is made public" versus "when a vulnerability is added to the CVE list" and how they affect each other.
OUTCOME: Less vague or confusing language.
@EvansJonathan
Copy link
Contributor Author

EvansJonathan commented Aug 7, 2017
edited by dadinolfi
Loading

Discussion of "when a vulnerability is made public" can be found in sections:

  • 2.1.1
  • 2.2.6
  • 2.2.7
  • 4.1.3
  • INC2

@EvansJonathan
Copy link
Contributor Author

I could not find a discussion of "when a vulnerability is added to the CVE list" in the CNA Rules.

@EvansJonathan
Copy link
Contributor Author

I have been using the following criteria to for "when a vulnerability is public" when I train new CNAs. The criteria is based on the required information in Appendix B and MITRE's requirement that any information in a CVE entry be made public elsewhere first (See #26).

  • For a vulnerability to be considered public meet the following conditions
    • Has to have a URL
    • The Terms of the website must allow the CVE List to link to the URL
    • The document linked to by the URL must contain the minimum required information for a CVE entry.
      • Product
      • Version
      • Problem type (vulnerability type or impact)
  • Registration and login requirements are acceptable, but there can’t be other restrictions
  • Advisories that require payment to access are not considered public
    • If you have a public advisory with the minimum required details and other details require payment to access, then the vulnerability is considered public

@dadinolfi
Copy link
Contributor

To be added to section 2.1.1 after the existing content:

Note: for a vulnerability to be considered "public", the following conditions must be met:

  • There must be a URL including information about the vulnerability accessible from the internet.
  • The Terms of Use of the website must allow the CVE List to link to the URL.
  • The document linked by the URL must contain the minimum required information for a CVE Entry (see Appendix B).

Registration and login requirements are acceptable, but there cannot be other restrictions for accessing that content. Also, advisories that require payment for access are not considered public. That said, if you have a public advisory with the minimum required details with additional details available through paid access, the vulnerability is still considered public.

@dadinolfi
Copy link
Contributor

Updated CNA Rules draft.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@dadinolfi @EvansJonathan