search

oasis-tcs / csaf

OASIS CSAF TC: Supporting version control for Work Product artifacts developed by members of TC, including prose specifications and secondary artifacts like meeting minutes and productivity code
https://github.com/oasis-tcs/csaf
Other
152 stars 40 forks source link

Clarify the involvements section (1) #220

Closed tschmidtb51 closed 3 years ago

tschmidtb51 commented 3 years ago

During the review of #205 there were some comments regarding the definitions and explanations use in the involvements property:

@tolim stated in https://github.com/oasis-tcs/csaf/pull/205#discussion_r611769150:

It is unclear to me how this value should be used. I would assume that disputed in the context of the party means, that the named party and its affiliation to the vulnerability is disputed (and not the vulnerability report in its entirety). If there is no security implication, the vulnerability CVSS score would indicate this by a value of 0. Is there any case, where the value disputed would be used? At least from a vendor perspective, this value will never be useful as disputed or non-responding parties will not be mentioned in the advisory.

@sthagen replied in https://github.com/oasis-tcs/csaf/pull/205#discussion_r611778803:

Defining categories in deeply nested structures sometimes makes us miss the forrest for the trees - I will read CVRF v1.2 again to see how we did there. Thanks for bringing this scope / use question up @tolim

This issue is used to track the progress and provide a place for discussions.

tschmidtb51 commented 3 years ago

@tolim: What about this use case:

A security researcher (let's call him Bob) applies for a CVE and gets it granted by a CERT (let's call that CERT-XY). The vendor (say FooBar) states he is not affected. This brings us to the situation where:

I agree that the latter one is probably unlikely.

Having written that example I think I see the problem too. The definition always refer to the vendor instead of referring to the party.

tolim commented 3 years ago

After reviewing the pull request, I agree to keep disputed in the spec. It definitely is useful for CERTs providing status reports on different vendors within one document.

tschmidtb51 commented 3 years ago

Merged into the oasis-tcs/csaf:master through #265.