[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

On 2017-02-23 19:05, jericho wrote:

> https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
> Harold, how would you write a CVE-ish description of this, in the 
> context 
> of moving CVE to site-specific issues? The service and info disclosed 
> is 
> the easy part. Then what? Do you also mention some of the services 
> that 
> use Cloudflare? Some businesses may know, where individuals do not 
> (e.g. 
> 1Password is hosted on it). What date range do you put down for this? 
> You 
> know the fix date, but not the start date. This goes back to the 
> problem 
> of making such entries useful to companies trying to determine risk.

Not answering your question, but:

This issue should get a CVE ID so the world can talk about it and have
confidence they're talking about the same "it."  The description might
be tricky, but the description is primarily to catalog/de-duplicate, not
to help assess risk.

CVE is lower layer of infrastructure.  Someone else (NVD, CVSS, RBS,
CERT, a CloudFlare customer) can add to the severity/risk assessment.

 - Art

Page Last Updated or Reviewed: February 24, 2017