[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HP's policy on CVE assignments

To: Kurt Seifried <kseifried@redhat.com>
Subject: Re: HP's policy on CVE assignments
From: jericho <jericho@attrition.org>
Date: Fri, 7 Apr 2017 14:27:30 -0500
Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
Delivery-date: Fri Apr 7 15:47:46 2017
Importance: high
In-reply-to: <CANO=Ty2Z1SZhfQt0iNiXiO+roMaA6KPp+fO0d2ggntedWfc9dQ@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <alpine.LNX.2.00.1704071412390.19881@forced.attrition.org> <CANO=Ty2Z1SZhfQt0iNiXiO+roMaA6KPp+fO0d2ggntedWfc9dQ@mail.gmail.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2
User-agent: Alpine 2.00 (LNX 1167 2008-08-23)

On Fri, 7 Apr 2017, Kurt Seifried wrote:

: What counts as "public"? I would argue releasing updates counts as 
public,
: even if they are closed source (and especially if they are open 
source). No

Agreed. Over the last ten years, we have seen a big leap in reversing 
patches, now to the point where many companies have automated setups to 
do 
so. They are reliable and can pull out the vulnerable files and 
functions, 
sometimes more details. As such, I don't see a closed source patch as 
being "no public details" in today's age. Simply because technology has 
risen to address that specifically.

: CVE's definitely puts customers at risk as they may not be updating 
: (things break), and attackers will be able to find these flaws 
whether 
: or not they have CVEs (using bindiff/etc.).

Agreed. Many organizations update based on the perceived need to, not 
just 
because "hey look, shiny new version!" As such, not releasing details 
in a 
changelog or advisory is negligent to some.

.b

References:
- HP's policy on CVE assignments
  - From: jericho <jericho@attrition.org>
- Re: HP's policy on CVE assignments
  - From: Kurt Seifried <kseifried@redhat.com>

Prev by Date: Re: HP's policy on CVE assignments
Next by Date: Re: HP's policy on CVE assignments
Previous by thread: Re: HP's policy on CVE assignments
Next by thread: Re: HP's policy on CVE assignments
Index(es):
- Date
- Thread