[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE for hosted services

Hi Andy

 

Probably not the best place to get into a deep discussion, but there is a current INC rule 3 on the MITRE page

http://cveproject.github.io/docs/cna/application-guidance.html

Is the issue site-specific? Is it only in an online service (software-as-a-service), on a specific web site, or only offered through hosting solutions that are under the full control of the vendor?

 

So current answer is no, but agree that with the rise of hosted service since this rule was set, likely needs to be visited again

 

regards

-Mike Prosser

Symantec Software Security Group

 

From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Andy Balinsky (balinsky)
Sent: Wednesday, February 15, 2017 1:17 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE for hosted services

 

I was having some internal discussions with our Incident Response team (PSIRT) at Cisco, and the issue came up of whether there are either any industry best practices, or Mitre policies regarding CVEs for hosted services. 

 

The situation is where a software service is hosted by a vendor on servers owned by the vendor. A vulnerability is discovered internally by the vendor. It is fixed. No action is required by the customer. She just starts using the fixed version next time she visits that webpage. 

So, should the vendor issue an advisory about it? And should a CVE be generated?

 

What are other vendors doing in this case? (Maybe this list isn't the best place to be discussing this).

 

Andy Balinsky

Page Last Updated or Reviewed: February 15, 2017