Closed geeknik closed 2 years ago
@psmoros - might come in line with the work we are doing at the moment on CVE automation?
@adam-nygate - would be good to get your thoughts here as well, as we could include in the scope of our new CVE release?
Hey @geeknik, yep, we plan to do something very similar to this, where the Summary field provided will by default be the text included in a potential advisory, with this information able to be overridden by the maintainer, as well as things like the CVSS and other meta-information (versions afflicted etc)
Sounds great, I look forward to seeing the release. Thanks for listening!
If I may leave another suggestion, maybe a link to some educational material next to the Advisory field for those folks who have never had to write an advisory before? For instance: https://cveproject.github.io/docs/content/key-details-phrasing.pdf
hey @geeknik! Thanks for the suggestion! Does this #2161 cover it?
hi again @geeknik I suppose your +1 on #2161 means it covers your suggestion so I will go ahead and close this for now. If I misinterpreted your reaction feel free to reopen this <3
Hi, I think it would make proper sense to add a "Security Advisory" field to bug reports likely to receive a CVE. This field would be editable by the researcher and the maintainer and allow for the discussion and formatting of a proper security advisory. The value in a CVE being written which only says "xxx is vulnerable to yyy" is low, and I feel that adding the ability for us to write up a simple root cause analysis can go a long way. 1024 characters or less, we don't need a novel, if it's that big of a deal, include a link to a proper write-up. Comments separate from the bug report and hidden from public view (?), discussions about the root cause aren't necessarily that interesting to outside parties, plus if there is a proper write-up, that will be way better to read. Once the "Publish" button is clicked by the maintainer, who in the end is the absolute authority over their own code, the advisory gets posted, the report goes public, everyone gets paid and we move on to the next report. Thoughts?