undefined | Better HN

0 pointseviks2y ago0 comments

Who would be able to override the product owner? If it's the party that files, then what changed?

0 comments

maybe a number of independent reviewers. kind of like we have reviewers for scientific papers,

except i would make the list of reviewers known and attached to the CVE like signoffs on patches, including reviewers that reject the claims. (actually, that should be done for papers as well, but that's a different discussion)

then you can evaluate the seriousness of any CVE not only by its assigned threat level but also by weighing who and how many people reviewed the claims.

further there could be review levels, also similar to how bug reports are handled: new/incoming, triage, verified/reproduced, closed/unreproducible, fixed.

that would allow further categorization and give people another way to evaluate if a CVE is serious.

marcus0x622y ago

Within the existing system, I think MITRE should be able to override a CNA, but I don’t know that they can, just that they don’t appear to do so.

j / k navigate · click thread line to collapse