[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

On 2017-02-15 15:00, Andy Balinsky (balinsky) wrote:

> I think the main benefit would be to unify discussions about an issue.
> If a SaaS vulnerability were disclosed and then academic or online
> discussions wanted to refer to the vulnerability with specificity to
> disambiguate from some similar vulnerability. That, I suppose is the
> only aspect left to debate. I don't know if it is a compelling case 
> or not.

As many on this list know, I'm in favor of any vulnerability being able
to get a CVE ID.  Vulnerabilities are abstract things, we need to
identify them to be able to talk about them, full stop.  Yes, with SaaS,
there is usually no action needed by users or vulnerability scanners.

As a CNA, CERT/CC follows INC 3.


 - Art

Page Last Updated or Reviewed: February 21, 2017