You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ignite.apache.org by Denis Magda <dm...@apache.org> on 2017/01/03 17:52:18 UTC

Re: Product ID for Apache Ignite

Hi Mark,

I reached out both MITRE and cvedetails.com <http://cvedetails.com/> folks as you suggested earlier. Below you can see the answer from MITRE. CVE guys have not replied yet.

One of the things suggested by MITRE is the following

> One last item to note is that Apache is a CVE CNA. You can find more information about the CNA program at http://cve.mitre.org/cve/cna.html <http://cve.mitre.org/cve/cna.html>. We realize that there are many Apache products, but you may want to investigate this and reach out to the appropriate folks within Apache to not only share the CVE ID pool, but also potentially communicate when vulnerabilities are found in Apache Ignite.

Do you guys keep in eye on all Apache vulnerabilities or subscribe to the updates? If so, could you update Apache Ignite community every time an Ignite vulnerability has discovered?

Regards,
Denis

> On Dec 29, 2016, at 10:03 AM, Coffin, Chris <cc...@mitre.org> wrote:
> 
> Denis,
>  
> The cvedetails.com <http://cvedetails.com/> web site is not affiliated with MITRE and you would need to contact them directly if you wanted to see a change in the URL you had provided. The contact information for cvedetails.com <http://cvedetails.com/> can be found at http://www.cvedetails.com/about-contact.php <http://www.cvedetails.com/about-contact.php>.
>  
> The MITRE CVE team does not currently provide any notifications for CVEs, but has considered this in the recent past. One thought was to create a registry of product vendors that is used for contact purposes when a CVE ID is published and affects the vendor. If this is something that would be of interest to you, please let us know.
>  
> One last item to note is that Apache is a CVE CNA. You can find more information about the CNA program at http://cve.mitre.org/cve/cna.html <http://cve.mitre.org/cve/cna.html>. We realize that there are many Apache products, but you may want to investigate this and reach out to the appropriate folks within Apache to not only share the CVE ID pool, but also potentially communicate when vulnerabilities are found in Apache Ignite.
>  
> Regards,
>  
> Chris Coffin
> The CVE Team
>  
> From: Denis Magda [mailto:dmagda@apache.org] 
> Sent: Wednesday, December 28, 2016 3:18 PM
> To: Common Vulnerabilities & Exposures <cv...@mitre.org>
> Cc: private@ignite.apache.org
> Subject: Fwd: Product ID for Apache Ignite 
>  
> Dear Sir/Madam,
>  
> I’m writing you on behalf of Apache Ignite [1] community to check if there is a way to obtain a product ID for our project. The whole purpose of that is to be proactive by handling vulnerabilities as soon as they appear in the CVE database. 
>  
> For instance, we can use services like that [2] to subscribe for vulnerabilities related updates. To do that, both vendor ID and product ID have to be known. In our case the vendor is 45 (Apache Foundation) while there is no product ID for Apache Ignite yet. 
>  
> Could you assist and register product ID for Apache Ignite?
>  
> [1] https://ignite.apache.org <https://ignite.apache.org/>
> [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html <http://www.cvedetails.com/product-list/vendor_id-45/Apache.html>
>  
> Regards,
> Denis Magda
> Apache Ignite PMC Chair
> 
> 
> Begin forwarded message:
>  
> From: Mark Thomas <markt@apache.org <ma...@apache.org>>
> Subject: Re: Product ID for Apache Ignite at CVE
> Date: December 12, 2016 at 9:01:58 AM PST
> To: private@ignite.apache.org <ma...@ignite.apache.org>
> Cc: security@apache.org <ma...@apache.org>
> Reply-To: private@ignite.apache.org <ma...@ignite.apache.org>
>  
> On 08/12/2016 01:59, Denis Magda wrote:
> 
> Hello,
> 
> I’m writing on behalf of Apache Ignite [1] community. We would like to
> register Apache Ignite in CVE database so that it appears in the list of
> Apache products [2] already registered there and has its own unique
> product ID.
> 
> Who can assist us with this or provide a guidance?
> 
> Sorry, not a clue.
> 
> I suspect updates are made as new products issue vulnerability
> announcements. cvedetails.com <http://cvedetails.com/> isn't part of Mitre so I suggest you
> contact cvedetails.com <http://cvedetails.com/> directly with your query.
> 
> Mark
> 
> 
> 
> 
> 
> [1] https://ignite.apache.org <https://ignite.apache.org/>
> [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html <http://www.cvedetails.com/product-list/vendor_id-45/Apache.html>
> 
> Regards,
> Denis

Re: Product ID for Apache Ignite

Posted by Mark Thomas <ma...@apache.org>.

On 03/01/2017 17:52, Denis Magda wrote:
> Hi Mark,
> 
> I reached out both MITRE and cvedetails.com
> <http://cvedetails.com> folks as you suggested earlier. Below you can
> see the answer from MITRE. CVE guys have not replied yet.
> 
> One of the things suggested by MITRE is the following
> 
>> One last item to note is that Apache is a CVE CNA. You can find more
>> information about the CNA program
>> at http://cve.mitre.org/cve/cna.html. We realize that there are many
>> Apache products, but you may want to investigate this and reach out to
>> the appropriate folks within Apache to not only share the CVE ID pool,
>> but also potentially communicate when vulnerabilities are found in
>> Apache Ignite.
> 
> Do you guys keep in eye on all Apache vulnerabilities or subscribe to
> the updates? If so, could you update Apache Ignite community every time
> an Ignite vulnerability has discovered?

That isn't how vulnerability handling works.

See http://www.apache.org/security/committers.html

Any vulnerability reports for Apache Ignite received by the security
team will be passed privately to the project for resolution.

Mark


> 
> Regards,
> Denis
> 
>> On Dec 29, 2016, at 10:03 AM, Coffin, Chris <ccoffin@mitre.org
>> <ma...@mitre.org>> wrote:
>>
>> Denis,
>>  
>> The cvedetails.com <http://cvedetails.com/> web site is not affiliated
>> with MITRE and you would need to contact them directly if you wanted
>> to see a change in the URL you had provided. The contact information
>> for cvedetails.com <http://cvedetails.com/> can be found
>> at http://www.cvedetails.com/about-contact.php.
>>  
>> The MITRE CVE team does not currently provide any notifications for
>> CVEs, but has considered this in the recent past. One thought was to
>> create a registry of product vendors that is used for contact purposes
>> when a CVE ID is published and affects the vendor. If this is
>> something that would be of interest to you, please let us know.
>>  
>> One last item to note is that Apache is a CVE CNA. You can find more
>> information about the CNA program
>> at http://cve.mitre.org/cve/cna.html. We realize that there are many
>> Apache products, but you may want to investigate this and reach out to
>> the appropriate folks within Apache to not only share the CVE ID pool,
>> but also potentially communicate when vulnerabilities are found in
>> Apache Ignite.
>>  
>> Regards,
>>  
>> Chris Coffin
>> The CVE Team
>>  
>> *From:* Denis Magda [mailto:dmagda@apache.org] 
>> *Sent:* Wednesday, December 28, 2016 3:18 PM
>> *To:* Common Vulnerabilities & Exposures <cve@mitre.org
>> <ma...@mitre.org>>
>> *Cc:* private@ignite.apache.org <ma...@ignite.apache.org>
>> *Subject:* Fwd: Product ID for Apache Ignite 
>>  
>> Dear Sir/Madam,
>>  
>> I\u2019m writing you on behalf of Apache Ignite [1] community to check if
>> there is a way to obtain a product ID for our project. The whole
>> purpose of that is to be proactive by handling vulnerabilities as soon
>> as they appear in the CVE database. 
>>  
>> For instance, we can use services like that [2] to subscribe for
>> vulnerabilities related updates. To do that, both vendor ID and
>> product ID have to be known. In our case the vendor is 45 (Apache
>> Foundation) while there is no product ID for Apache Ignite yet. 
>>  
>> Could you assist and register product ID for Apache Ignite?
>>  
>> [1] https://ignite.apache.org <https://ignite.apache.org/>
>> [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html
>>  
>> Regards,
>> Denis Magda
>> Apache Ignite PMC Chair
>>
>>
>>     Begin forwarded message:
>>      
>>     *From: *Mark Thomas <markt@apache.org <ma...@apache.org>>
>>     *Subject: Re: Product ID for Apache Ignite at CVE*
>>     *Date: *December 12, 2016 at 9:01:58 AM PST
>>     *To: *private@ignite.apache.org <ma...@ignite.apache.org>
>>     *Cc: *security@apache.org <ma...@apache.org>
>>     *Reply-To: *private@ignite.apache.org
>>     <ma...@ignite.apache.org>
>>      
>>     On 08/12/2016 01:59, Denis Magda wrote:
>>
>>         Hello,
>>
>>         I\u2019m writing on behalf of Apache Ignite [1] community. We would
>>         like to
>>         register Apache Ignite in CVE database so that it appears in
>>         the list of
>>         Apache products [2] already registered there and has its own
>>         unique
>>         product ID.
>>
>>         Who can assist us with this or provide a guidance?
>>
>>
>>     Sorry, not a clue.
>>
>>     I suspect updates are made as new products issue vulnerability
>>     announcements. cvedetails.com <http://cvedetails.com/> isn't part
>>     of Mitre so I suggest you
>>     contact cvedetails.com <http://cvedetails.com/> directly with your
>>     query.
>>
>>     Mark
>>
>>
>>
>>
>>
>>         [1] https://ignite.apache.org <https://ignite.apache.org/>
>>         [2] http://www.cvedetails.com/product-list/vendor_id-45/Apache.html
>>
>>         Regards,
>>         Denis
>