On Sun, 28 Jan 2007, Pavel Kankovsky wrote:
How much time does it take to get a new CVE number? Hours? Days?
How do you handle duplicate CVEs? (I don't know how often it happens
nowadays but they had some duplicate entries in the past.)
Red Hat is a Candidate Naming Authority which means that for issues that
are not already public we can assign names from our pool. Where an issue
is public Mitre usually respond within a day or two. We can get them to
respond faster if it's urgent (like some new issue that's critcial and
going to get a lot of attention)
NVD say these are "user complicit" and marked as local.
I think they got it wrong. See above.
A severity rating system is useless to us if it reaches a level of
complexity where 1) it's unlikely two researchers will assign the same
values given the same conditions and 2) it takes longer to assign a
severity rating than triage and fix the flaw. But based on your comments
we do plan on looking at a sampling of more recent CVSS examples on NVD
again and seeing if they're getting closer to being useful.
Thanks, Mark
--
Mark J Cox / Red Hat Security Response Team
--
Fedora-security-list mailing list
Fedora-security-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-security-list
