[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

Just a note:

1) Internal software (either used internally or presented as a service) sometimes get released publicly, having vulns tracked via CVE would make the entire life cycle much easier to manage when things go public.

2) The world has already moved to a services model, most apps aren't that useful without some online service/API, so there is definitely value in knowing what services I use are vulnerable. 

3) There is also a strong push for security transparency (e.g. the CloudSecurityAlliance has several hundred STARS CAIQ entries in the registry and I know that most cloud services has one as many large companies/governments now require such an entry prior to purchasing the service), so this is something the industry will be doing, ideally CVE should be a part of that.

On Thu, Feb 16, 2017 at 6:08 AM, Art Manion <amanion@cert.org> wrote:
On 2017-02-15 15:00, Andy Balinsky (balinsky) wrote:

> I think the main benefit would be to unify discussions about an issue.
> If a SaaS vulnerability were disclosed and then academic or online
> discussions wanted to refer to the vulnerability with specificity to
> disambiguate from some similar vulnerability. That, I suppose is the
> only aspect left to debate. I don't know if it is a compelling case or not.

As many on this list know, I'm in favor of any vulnerability being able
to get a CVE ID.  Vulnerabilities are abstract things, we need to
identify them to be able to talk about them, full stop.  Yes, with SaaS,
there is usually no action needed by users or vulnerability scanners.

As a CNA, CERT/CC follows INC 3.


 - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: February 22, 2017