Re: Free Hackers Manifest

From: Steven M. Christey (coley@LINUS.MITRE.ORG)
Date: 08/08/02

Date:         Thu, 8 Aug 2002 13:37:48 -0400
From: "Steven M. Christey" <coley@LINUS.MITRE.ORG>

qwerty qwerty <> said:

>vendors can sit for months on an unpublished bug [7]
>[7] Compare CVE assignement dates of
> and
> with
> Also notice the synchronicity of assignements
> dates for different research groups, all released under
>Microsoft the same day.

The assignment dates for CVE candidate numbers do not necessarily mean
that a vendor knew about a particular issue at the time of assignment.
In some cases, MITRE provides an organization with a pool of "blank"
candidates, so that the organization can assign a candidate to a new
issue *as it is discovered*. Such organizations, referred to as
Candidate Numbering Authorities (CNAs), are reserving more and more
"blank" candidates as time goes on (this is part of the push for CVE
to become more timely).

Therefore, it cannot always be known when the vendor (rather, the
organization who requested the number) knew about the issue. That
information may be included in researcher vulnerability reports, if
the researcher includes a "vendor history" or timeline.
Interestingly, vendor advisories rarely include such a timeline in
their own advisories. In some cases, the CERT Vulnerability Notes
database includes vendor notification dates (which makes for
interesting reading).

More information on CNAs and the candidate reservation process may be
found at

Steve Christey
CVE Editor