[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

This has been discussed in the past and the feeling was this was not something that would need a CVE as there is no need to identify the vulnerability outside the organization. Most host providers quickly correct those types of situations and it is generally not an external concern. 


That said..., if the vulnerability is in commonly used software supplying a portion of a hosted service that other providers are using as well, it would make sense to assure the vulnerability was processed appropriately.


The question you have to ask yourself is, does this discovered vulnerability potentially affect other companies and hosted services outside your organization? If so, a CVE is probably needed.  If it is homegrown software that no one else runs or a local configuration issue, then probably not...



Kent Landfield



From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Andy Balinsky (balinsky)" <balinsky@cisco.com>
Date: Wednesday, February 15, 2017 at 11:17 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CVE for hosted services


I was having some internal discussions with our Incident Response team (PSIRT) at Cisco, and the issue came up of whether there are either any industry best practices, or Mitre policies regarding CVEs for hosted services. 


The situation is where a software service is hosted by a vendor on servers owned by the vendor. A vulnerability is discovered internally by the vendor. It is fixed. No action is required by the customer. She just starts using the fixed version next time she visits that webpage. 

So, should the vendor issue an advisory about it? And should a CVE be generated?


What are other vendors doing in this case? (Maybe this list isn't the best place to be discussing this).


Andy Balinsky

Page Last Updated or Reviewed: February 15, 2017