[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE For Services

To: "Andy Balinsky (balinsky)" <balinsky@cisco.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE For Services
From: "kseifried@redhat.com" <kseifried@redhat.com>
Date: Tue, 5 Sep 2017 21:33:09 -0600
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=redhat.com;
Delivery-date: Wed Sep 6 07:43:28 2017
In-reply-to: <164102EE-4473-42F6-A563-05DE00A50523@cisco.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <164102EE-4473-42F6-A563-05DE00A50523@cisco.com>
Reply-to: <kseifried@redhat.com>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
Spamdiagnosticoutput: 1:2
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.3.0

On 2017-09-05 09:02 PM, Andy Balinsky (balinsky) wrote:
> I plan to bring up discussion of this topic at tomorrow's board 
> meeting.
> It lead to a healthy online discussion, but has languished for 6 
> months.
> Whether we make a change to the INC3 rule or not, we need to do so
> deliberately, not by neglect of discussion.
> 
> Thanks,
> 
> Andy Balinsky (balinsky)
> PSIRT Engineering
> balinsky@cisco.com <mailto:balinsky@cisco.com>

I am in favor of this (more transparency is better IMHO), however I see
two main obstacles:

1) Many services don't want to admit to flaws, and they can generally
hide them (only if someone's blog posting goes viral do we usually find
out), it's hard to test and hold them accountable (especially with many
jurisdictions having laws against poking away at services).

2) The services that do care about this kind of thing are running bug
bounties and thus already getting a lot of the benefit that CVE would
provide in the form of having a mature security process, and having a
service CVE doesn't give them much benefit (at this time).

I would suggest if we are going to go ahead with this we talk to the
service bug bounty companies as, by definition, they have all the people
that would care about this.

-- 

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Follow-Ups:
- Re: CVE For Services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>

References:
- CVE For Services
  - From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>

Prev by Date: CVE For Services
Next by Date: CNA Rules Revision Phase 2 - Week 5
Previous by thread: CVE For Services
Next by thread: Re: CVE For Services
Index(es):
- Date
- Thread