Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Non-sequential Cve-Id reservation algorithm has had no security analysis #1129

Open
jdaigneau5 opened this issue Oct 31, 2023 · 1 comment
Open

Non-sequential Cve-Id reservation algorithm has had no security analysis #1129

jdaigneau5 opened this issue Oct 31, 2023 · 1 comment

Comments

@jdaigneau5
Copy link
Collaborator

Summary

The algorithm for reserving non-sequential Cve-Ids hasn't had a security analysis to confirm that the there's no pattern in the reserved group of Cve-ids.

Proposed Actions

  • Deprecate this feature, as few CNAs use it
  • Leave feature as is, but explicitly say it does not guarantee obscurity
  • Request a secure analysis be done
@jdaigneau5 jdaigneau5 moved this to Low Priority in Issue Triage Jul 2, 2024
@jdaigneau5
Copy link
Collaborator Author

AWG 8/13/24: Update Swagger docs for this endpoint clarifying that non-sequential does not guarantee randomness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Issue Triage
Status: Low Priority
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jdaigneau5