[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CVE for hosted services
- To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
- Subject: CVE for hosted services
- From: "Andy Balinsky (balinsky)" <balinsky@cisco.com>
- Date: Wed, 15 Feb 2017 19:17:24 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=fail action=none header.from=cisco.com;mitre.org; dkim=none (message not signed) header.d=none;
- Delivery-date: Wed Feb 15 15:29:48 2017
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHSh8Aj1e59GSRwMUG57Y4RbN3D2Q==
- Thread-topic: CVE for hosted services
|
I was having some internal discussions with our Incident Response team (PSIRT) at Cisco, and the issue came up of whether there are either any industry best practices, or Mitre policies regarding CVEs for hosted services.
The situation is where a software service is hosted by a vendor on servers owned by the vendor. A vulnerability is discovered internally by the vendor. It is fixed. No action is required by the customer. She just starts using the fixed version
next time she visits that webpage.
So, should the vendor issue an advisory about it? And should a CVE be generated?
What are other vendors doing in this case? (Maybe this list isn't the best place to be discussing this).
Andy Balinsky
|
- Follow-Ups:
- Re: CVE for hosted services
- From: jericho <jericho@attrition.org>
- RE: CVE for hosted services
- From: Mike Prosser <mprosser@symantec.com>
- Re: CVE for hosted services
- From: "Landfield, Kent B" <kent.b.landfield@intel.com>
- Re: CVE for hosted services
- Prev by Date: RE: education suggestion
- Next by Date: Re: CVE for hosted services
- Previous by thread: RE: education suggestion
- Next by thread: Re: CVE for hosted services
- Index(es):
