Re: [Secure-testing-team] kernel update

[Florian Weimer <fw@deneb.enyo.de>]

* Andres Salomon:

> How can you tell?  The mitre description is absolutely useless.  I
> fucking hate this stupid vendor-sec/mitre non-disclosure policy,

In most cases, MITRE does not have access to pre-disclosure
information.  They just hand out unique names, and update the database
based on public data afterwards.  However, it is true that they demand
that CNAs (who can assign CANs) "must follow responsible disclosure
practices that are accepted by a significant portion of the security
community" -- whatever this means.  Of course, you still receive a CAN
assignment no matter how you disclose a vulnerability.

That being said, it's not the job of MITRE to explain the nature of
vulnerabilities if upstream fails us.  The CVE database only reflects
what the vendors (or other respected data sources) publish.  MITRE
certainly does not mandate researchers or CNAs to keep issues secret.