[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: speaking of hardware CVEs

On Fri, 10 Mar 2017, Kurt Seifried wrote:

: This timely article is out: 
: seems like some UEFI implementations are lacking basic security 
: checks/best practices, I would think failing to sue those things 
: be CVE worthy in the modern world.

Devil's advocate:

CVE has largely said they will not create for default credentials, even 
when it means complete administrative access to the app/device/OS [1]. 
that isn't CVE-worthy, then "missing other best practices" doesn't seem 
like it would qualify either.


[1] I realize there are a few default-related IDs, sometimes because 
researchers reserve it (e.g. CVE-2017-3186), a CNA assigns for it (e.g. 
CVE-2016-9215), or when MITRE assigns for it rarely (e.g. 

Page Last Updated or Reviewed: March 13, 2017