[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

FYI, this was asked to clarify policy in December. MITRE's official 

From: "Evans, Jonathan L." <jevans@mitre.org>
X-Originating-IP: []
To: jericho <jericho@attrition.org>, cve-cna-list 
Date: Thu, 15 Dec 2016 14:10:17 +0000
Subject: RE: site-specific vulnerabilities and CVE inclusion

> First, can MITRE chime in and verify this is still current policy 
regarding site-specific issues?

It is still against the rules to assign a CVE ID to a site-specific 
vulnerability.  INC3 in the CNA Rules says "Is the vulnerability 
site-specific?... Yes: Do not assign a CVE ID."[1]

We are not opposed to assigning CVE IDs to site-specific 
When we finalized the CNA rules, we believed that we did not understand 
the use cases for site-specific vulnerabilities well
enough to write rules on how to properly count them.  We fully expect 
support for site-specific vulnerabilities to be a major topic of the 
revision of the rules.

[1] http://cve.mitre.org/cve/cna/CNA_Rules_v1.1.pdf

Jonathan Evans
Lead CVE Content Analyst
The MITRE Corporation

On Wed, 15 Feb 2017, Andy Balinsky (balinsky) wrote:

: I was having some internal discussions with our Incident Response 
team (PSIRT) at Cisco, and the issue came up of whether there are 
either any industry best practices, or Mitre policies regarding CVEs 
for hosted services.
: The situation is where a software service is hosted by a vendor on 
servers owned by the vendor. A vulnerability is discovered internally 
by the vendor. It is fixed. No action is required by the customer. She 
just starts using the fixed version next time she visits that webpage.
: So, should the vendor issue an advisory about it? And should a CVE be 
: What are other vendors doing in this case? (Maybe this list isn't the 
best place to be discussing this).
: Andy Balinsky
: balinsky@cisco.com<mailto:balinsky@cisco.com>
: [cid:7113EA8F-503E-4953-B0D3-ED49102D51E2@cisco.com]

Page Last Updated or Reviewed: February 15, 2017