[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HP's policy on CVE assignments
- To: jericho <jericho@attrition.org>
- Subject: Re: HP's policy on CVE assignments
- From: Kurt Seifried <kseifried@redhat.com>
- Date: Fri, 7 Apr 2017 13:24:16 -0600
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=redhat.com;
- Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Fri Apr 7 15:47:46 2017
- In-reply-to: <alpine.LNX.2.00.1704071412390.19881@forced.attrition.org>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1704071412390.19881@forced.attrition.org>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
I guess the question is under section 2.1 of the CNA Guidelines:
"""
Assign CVE IDs to security vulnerabilities in their scope as described by the CNA’s Root CNA or the Primary CNA. CVE IDs should only be assigned to vulnerabilities that are or will be made public.2 Vulnerabilities that will not be made public do not receive CVE IDs.
"""
What counts as "public"? I would argue releasing updates counts as public, even if they are closed source (and especially if they are open source). No CVE's definitely puts customers at risk as they may not be updating (things break), and attackers will be able to find these flaws whether or not they have CVEs (using bindiff/etc.).
On Fri, Apr 7, 2017 at 1:13 PM, jericho <jericho@attrition.org> wrote:
Caught this via Twitter. Thoughts?
https://twitter.com/tombkeeper/status/850275006256787456
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com
- Follow-Ups:
- Re: HP's policy on CVE assignments
- From: jericho <jericho@attrition.org>
- Re: HP's policy on CVE assignments
- References:
- HP's policy on CVE assignments
- From: jericho <jericho@attrition.org>
- HP's policy on CVE assignments
- Prev by Date: HP's policy on CVE assignments
- Next by Date: Re: HP's policy on CVE assignments
- Previous by thread: HP's policy on CVE assignments
- Next by thread: Re: HP's policy on CVE assignments
- Index(es):
