[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HP's policy on CVE assignments

On Fri, 7 Apr 2017, Kurt Seifried wrote:

: What counts as "public"? I would argue releasing updates counts as 
: even if they are closed source (and especially if they are open 
source). No

Agreed. Over the last ten years, we have seen a big leap in reversing 
patches, now to the point where many companies have automated setups to 
so. They are reliable and can pull out the vulnerable files and 
sometimes more details. As such, I don't see a closed source patch as 
being "no public details" in today's age. Simply because technology has 
risen to address that specifically.

: CVE's definitely puts customers at risk as they may not be updating 
: (things break), and attackers will be able to find these flaws 
: or not they have CVEs (using bindiff/etc.).

Agreed. Many organizations update based on the perceived need to, not 
because "hey look, shiny new version!" As such, not releasing details 
in a 
changelog or advisory is negligent to some.


Page Last Updated or Reviewed: April 11, 2017