[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE's for private/"Secret" issues



I know that TippingPoint ZDI (think they are still part of HP), for one, does work with the vendor on the issues they purchase from finders and the vendors, at least we do, assign CVEs to the issues reported to us by ZDI once we release an advisory.  Not sure if they contact the Mitre team for CVEs for those vendors that don’t get their own though…



Symantec Software Security Group


From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Kurt Seifried
Sent: Thursday, November 19, 2015 11:12 AM
To: cve-editorial-board-list
Subject: CVE's for private/"Secret" issues


Hey I was just reading



TL;DR: another firm that acquires 0 day vulns, the news being they published their price chart. 


There are now several firms like this (TIppingPoint, ImmunityInc, etc.) and I was wondering what, if any, process there is with respect to CVE assignments, my experience is that the sooner a CVE is assigned the better, ideally prior to public release if possible. Has Mitre reached out to these companies at all to help them understand the value of getting CVE's in advance and so on?




Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: 

Page Last Updated or Reviewed: November 27, 2015