[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

This is a one-off piece of **** consumer product, not software that is
installed, offered as a service or used anywhere else.  Give it an
incident or advisory ID, or describe it as an anti-pattern because
developers of similar products make similar mistakes.  However, I fail
to see the relevance to the CVE.  If all these products from different
manufacturers were vulnerable due to a software-as-a-service offering,
common to many, I would be interested.

Please don't make the CVE into an incident or advisory database just
because an ID would be handy.


On Tue, 2017-02-28 at 09:02 -0700, Kurt Seifried wrote:
> Another shining example of failure that could use an identifier:
> https://www.troyhunt.com/data-from-connected-cloudpets-teddy-bears-leaked-and-ransomed-exposing-kids-voice-messages/
> https://news.ycombinator.com/item?id=13748028
> This is a great example on so many levels. Simple operational/security
> failure from the sounds of it (default MongoDB setup, so no auth), 
> that
> would tend to indicate that they also have other problems (if they 
> can't do
> simple things right...).

Page Last Updated or Reviewed: February 28, 2017