[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE for hosted services

I will say this with all of the virtual emphasis I possibly can. I 
argue if MITRE tracking online services in a CVE-style capacity is the 
right or wrong thing to do today. But I will say that if you do this...

Do NOT, uner any cicumstance, use 'CVE' as part of the ID scheme. There 
absolutely no logical or beneficial reason to do so.

- CVE supported two prefix schemes for a decade (CVE and CAN).
- Many orgs will not want to track online services, and mixing them 
  make that very painful for 'coverage [metrics|percentage]' etc.
- Some orgs may be more interested in cloud/service offering tracking 
  (e.g. companies that exist for cloudy services themselves)
- For the countless vuln tourists (both individual and companies) that 
  yearly stats entirely based on CVE and not understanding CVE at all, 
  this will forever make ALL stats they generate entirely worthless. I 
  mean, they are already worthless, but this will make it more so.
- Did I mention there is no logical reason to mix them under a unified 
  identifier? =)

I have been an outspoken critic of MITRE and CVE for a long time. I 
spent a LOT more of that time trying to help via the board and behind 
scenes. If MITRE opts to mix and not use diffferent prefix schemes, I 
fully believe that will be the biggest mistake MITRE has ever made in 
17+ years of maintaining the CVE project. 


p.s. This is coming from one of the few people who were strenously 
the CNA/CVE prefix split and put significant pressure on MITRE to unify 

On Fri, 24 Feb 2017, Coffin, Chris wrote:

: The CVE Team has discussed the inclusion of hosted service 
: vulnerabilities within the CVE program on multiple occasions in the 
: past. However, a decision was never made on how to proceed. The CVE 
: Board call on Feb 22 included a very informative and useful 
: regarding this topic, and we feel this topic needs to move forward. 
: Based on Harold's valid use case, input from other Board members, and 
: the fact that more and more software is being offered via hosted 
: services, the CVE Team believes that these vulnerabilities should be 
: assigned CVE IDs and we have no objections in supporting these under 
: CVE program.
: We believe that there are still decisions to be made on what kinds of 
: use cases should be supported, but these can continue to be 
: and discussed on the CVE Board list. Once we have agreement on a 
: set of use cases, the CVE Team and Board can decide on any needed 
: and guidelines. At that point, we believe that the best option would 
: to pilot the idea through one or more of our existing CNAs who also 
: maintain hosted services. If anyone has any additional suggestions or 
: comments on a way forward then please offer them up.
: To answer the specific questions regarding the determination of risk 
: based on CVE, we agree with Art that CVE is the first step in the 
: process and should only be responsible for starting the conversation 
: (i.e., naming the thing). Other organizations can add additional 
: on top of this, such as risk scores, mitigations, etc.

Page Last Updated or Reviewed: February 27, 2017