PGP key for vulnerability reports

[Tomas Hoger]

On Wed, 22 Jan 2014 13:04:56 -0800 Mark Doliner wrote:

> Tomas, is there discoverer attribution info associated with each CVE
> ID? If so, could we double check who's listed for CVE-2013-6486 and
> CVE-2013-6487. (Feel free to forward this email as you deem
> appropriate.)

I do not believe CVE / Mitre explicitly tracks attribution data for
CVEs.  They don't include such info with the date they make available
publicly.  Vendors and vulnerability databases often track that and
provide acknowledgments via released advisories, but they may follow
different rules (e.g. vendors mentioning reporter whenever one is known
vs. vendors only acknowledging "responsible" reports).

In this case, any acknowledgments listed in upstream pidgin advisories
are likely to be picked up by downstream vendors and vulnerability
databases.

> I believe it should ideally be:
> CVE-2013-6486 - Yves Younan of Sourcefire VRT
> CVE-2013-6487 - Yves Younan, Ryan Pentney, and Pawel Janic of
> Sourcefire VRT

Ah, I see there is more detail for these now than were available before.

> > Great, thanks for the update Mark. Did we manage to get credit
> > merged so everyone shows up on the combined CVE? They're all a
> > similar class of vulnerability but in different components so it
> > seems a little unusual to merge them. I'm fine with that decision,
> > I just want to make sure my guys get credited appropriately.

Assignment tried to follow documented CVE content decisions:

http://cve.mitre.org/cve/editorial_policies/cd_abstraction.html

These say that issues of the same flaw type and affecting same version
are typically expected to be merged under the same id.  Different
reporter is, while not documented above, also considered a reason to
split.  The info we previously had for the 3 issues under CVE-2013-6487
was limited to "discovered by Sourcefire VRT", hence split was not done
on different reporter.

-- 
Tomas Hoger / Red Hat Security Response Team