Re: Vulnerability discovery credits, vendor acknoweldgement, and CVE

To: "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: Vulnerability discovery credits, vendor acknoweldgement, and CVE
From: aleph1@securityfocus.com
Date: Thu, 21 Sep 2000 09:43:31 -0700
Cc: cve-editorial-board-list@lists.mitre.org
Delivery-Date: Thu Sep 21 12:47:21 2000
In-Reply-To: <200009211614.MAA07926@teagarden.mitre.org>; from coley@LINUS.MITRE.ORG on Thu, Sep 21, 2000 at 12:14:18PM -0400
References: <200009211614.MAA07926@teagarden.mitre.org>

* Steven M. Christey (coley@LINUS.MITRE.ORG) [000921 16:33]:
> 
> While we're on the topic, a neutral third party who is part of the
> disclosure between discoverer and vendor will be able to minimize the
> "he said, she said" finger-pointing that goes on when the discoverer
> claims that the vendor didn't respond, and the vendor claims that they
> were never notified.  This in turn could help make it more clear when
> a vendor is aware of, and has fixed, the vulnerability.  60% of all
> active CVE candidates don't have any concrete vendor acknowledgement,
> at least since I started recording it for CAN-1999-0671 and later.
> The precentage is probably higher if you consider the 300+ candidates
> still remaining from the draft CVE.  I've had to delve into logs or
> readme's to find some acknowledgement.

Thats exactly what we are offering to do with the VulnHelp service.

> - Steve

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

References:
- Vulnerability discovery credits, vendor acknoweldgement, and CVE
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Next by Date: Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey
Prev by thread: Vulnerability discovery credits, vendor acknoweldgement, and CVE
Next by thread: RE: [CVEPRI] Handling new vulnerabilities discovered by Steve Chr istey
Index(es):
- Date
- Thread