[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

On Wed, 2017-03-01 at 07:05 +0100, Carsten Eiram wrote:
> On Tue, Feb 28, 2017 at 5:36 PM, Pascal Meunier 
> <pmeunier@cerias.purdue.edu>
> wrote:
> >
> > Please don't make the CVE into an incident or advisory database just
> > because an ID would be handy.
> ^^ Short, concise, and so incredibly spot on.
> As Brian pointed out earlier, create another C*E project if wanting to
> track these kinds of issues in hosted solutions.

Thanks.  What made the CVE interesting was the intelligence in
identifying and pinpointing root causes.  A broad range of issues
stemming from the absence of security goals or considerations, as in
that product, only needs an advisory.  I feel that using a CVE ID for
this example would be inappropriate because the CVE was meant to be a
finer and more precise tool.  This example is akin to a grand collapse
from rampant incompetence;  there is nothing to analyze in detail and
nothing to do but get indignant about it on Facebook.


Page Last Updated or Reviewed: March 07, 2017