ignite-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: Product ID for Apache Ignite
Date Mon, 16 Jan 2017 14:01:11 GMT
On 03/01/2017 17:52, Denis Magda wrote:
> Hi Mark,
> 
> I reached out both MITRE and cvedetails.com
> <http://cvedetails.com> folks as you suggested earlier. Below you can
> see the answer from MITRE. CVE guys have not replied yet.
> 
> One of the things suggested by MITRE is the following
> 
>> One last item to note is that Apache is a CVE CNA. You can find more
>> information about the CNA program
>> at http://cve.mitre.org/cve/cna.html. We realize that there are many
>> Apache products, but you may want to investigate this and reach out to
>> the appropriate folks within Apache to not only share the CVE ID pool,
>> but also potentially communicate when vulnerabilities are found in
>> Apache Ignite.
> 
> Do you guys keep in eye on all Apache vulnerabilities or subscribe to
> the updates? If so, could you update Apache Ignite community every time
> an Ignite vulnerability has discovered?

That isn't how vulnerability handling works.

See http://www.apache.org/security/committers.html

Any vulnerability reports for Apache Ignite received by the security
team will be passed privately to the project for resolution.

Mark


> 
> Regards,
> Denis
> 
>> On Dec 29, 2016, at 10:03 AM, Coffin, Chris <ccoffin@mitre.org
>> <mailto:ccoffin@mitre.org>> wrote:
>>
>> Denis,
>>  
>> The cvedetails.com <http://cvedetails.com/> web site is not affiliated
>> with MITRE and you would need to contact them directly if you wanted
>> to see a change in the URL you had provided. The contact information
>> for cvedetails.com <http://cvedetails.com/> can be found
>> at http://www.cvedetails.com/about-contact.php.
>>  
>> The MITRE CVE team does not currently provide any notifications for
>> CVEs, but has considered this in the recent past. One thought was to
>> create a registry of product vendors that is used for contact purposes
>> when a CVE ID is published and affects the vendor. If this is
>> something that would be of interest to you, please let us know.
>>  
>> One last item to note is that Apache is a CVE CNA. You can find more
>> information about the CNA program
>> at http://cve.mitre.org/cve/cna.html. We realize that there are many
>> Apache products, but you may want to investigate this and reach out to
>> the appropriate folks within Apache to not only share the CVE ID pool,
>> but also potentially communicate when vulnerabilities are found in
>> Apache Ignite.
>>  
>> Regards,
>>  
>> Chris Coffin
>> The CVE Team
>>  
>> *From:* Denis Magda [mailto:dmagda@apache.org] 
>> *Sent:* Wednesday, December 28, 2016 3:18 PM
>> *To:* Common Vulnerabilities & Exposures <cve@mitre.org
>> <mailto:cve@mitre.org>>
>> *Cc:* private@ignite.apache.org <mailto:private@ignite.apache.org>
>> *Subject:* Fwd: Product ID for Apache Ignite 
>>  
>> Dear Sir/Madam,
>>  
>> I’m writing you on behalf of Apache Ignite [1] community to check if
>> there is a way to obtain a product ID for our project. The whole
>> purpose of that is to be proactive by handling vulnerabilities as soon
>> as they appear in the CVE database. 
>>  
>> For instance, we can use services like that [2] to subscribe for
>> vulnerabilities related updates. To do that, both vendor ID and
>> product ID have to be known. In our case the vendor is 45 (Apache
>> Foundation) while there is no product ID for Apache Ignite yet. 
>>  
>> Could you assist and register product ID for Apache Ignite?
>>  
>> [1] https://ignite.apache.org <https://ignite.apache.org/>
>> [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html
>>  
>> Regards,
>> Denis Magda
>> Apache Ignite PMC Chair
>>
>>
>>     Begin forwarded message:
>>      
>>     *From: *Mark Thomas <markt@apache.org <mailto:markt@apache.org>>
>>     *Subject: Re: Product ID for Apache Ignite at CVE*
>>     *Date: *December 12, 2016 at 9:01:58 AM PST
>>     *To: *private@ignite.apache.org <mailto:private@ignite.apache.org>
>>     *Cc: *security@apache.org <mailto:security@apache.org>
>>     *Reply-To: *private@ignite.apache.org
>>     <mailto:private@ignite.apache.org>
>>      
>>     On 08/12/2016 01:59, Denis Magda wrote:
>>
>>         Hello,
>>
>>         I’m writing on behalf of Apache Ignite [1] community. We would
>>         like to
>>         register Apache Ignite in CVE database so that it appears in
>>         the list of
>>         Apache products [2] already registered there and has its own
>>         unique
>>         product ID.
>>
>>         Who can assist us with this or provide a guidance?
>>
>>
>>     Sorry, not a clue.
>>
>>     I suspect updates are made as new products issue vulnerability
>>     announcements. cvedetails.com <http://cvedetails.com/> isn't part
>>     of Mitre so I suggest you
>>     contact cvedetails.com <http://cvedetails.com/> directly with your
>>     query.
>>
>>     Mark
>>
>>
>>
>>
>>
>>         [1] https://ignite.apache.org <https://ignite.apache.org/>
>>         [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html
>>
>>         Regards,
>>         Denis
> 


Mime
View raw message