[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE-2017-7269 and abandonware



From my perspective... I would like it to be the vendor CNA if one 
still exists.  If the vendor refuses or is no longer in business, then 
next up would be to go to a secondary CNA such as you list. 

I would hope the vendor would want to issue that themselves even if the 
product is EOL.  There is concern in various circles that this type of 
acknowledgement from the vendor on an EOL’ed product could cause some 
liability on that vendor. Abandonware is going to become more and more 
of a problem with the new emerging device landscape.  Who owns the 
problems they create?

This is actually a great conversation for the Board to have. 

---
Kent Landfield
+1.817.637.8026

On 3/30/17, 8:52 AM, "owner-cve-editorial-board-list@lists.mitre.org on 
behalf of Art Manion" <owner-cve-editorial-board-list@lists.mitre.org 
on behalf of amanion@cert.org> wrote:

    Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?
    
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
    
    What are the assignment rules for abandonware (or unsupportedware)?
    
    Is the vendor CNA primarily responsible, if one exists?
    
    Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, 
JPCERT/CC?
    
    
     - Art
    


Page Last Updated or Reviewed: March 30, 2017