[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Vulnerability discovery credits, vendor acknoweldgement, and CVE

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000921 16:33]:
> 
> While we're on the topic, a neutral third party who is part of the
> disclosure between discoverer and vendor will be able to minimize the
> "he said, she said" finger-pointing that goes on when the discoverer
> claims that the vendor didn't respond, and the vendor claims that they
> were never notified.  This in turn could help make it more clear when
> a vendor is aware of, and has fixed, the vulnerability.  60% of all
> active CVE candidates don't have any concrete vendor acknowledgement,
> at least since I started recording it for CAN-1999-0671 and later.
> The precentage is probably higher if you consider the 300+ candidates
> still remaining from the draft CVE.  I've had to delve into logs or
> readme's to find some acknowledgement.

Thats exactly what we are offering to do with the VulnHelp service.

> - Steve

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum
Page Last Updated or Reviewed: May 22, 2007