[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Merging Core and Extras affecting security updates

On Sun, 28 Jan 2007, Pavel Kankovsky wrote:
How much time does it take to get a new CVE number? Hours? Days?
How do you handle duplicate CVEs? (I don't know how often it happens
nowadays but they had some duplicate entries in the past.)

Red Hat is a Candidate Naming Authority which means that for issues that are not already public we can assign names from our pool. Where an issue is public Mitre usually respond within a day or two. We can get them to respond faster if it's urgent (like some new issue that's critcial and going to get a lot of attention)

NVD say these are "user complicit" and marked as local.
I think they got it wrong. See above.

A severity rating system is useless to us if it reaches a level of complexity where 1) it's unlikely two researchers will assign the same values given the same conditions and 2) it takes longer to assign a severity rating than triage and fix the flaw. But based on your comments we do plan on looking at a sampling of more recent CVSS examples on NVD again and seeing if they're getting closer to being useful.

Thanks, Mark
Mark J Cox / Red Hat Security Response Team

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]