[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: HP's policy on CVE assignments

I guess the question is under section 2.1 of the CNA Guidelines:

Assign CVE IDs to security vulnerabilities in their scope as described by the CNA’s Root CNA or the Primary CNA. CVE IDs should only be assigned to vulnerabilities that are or will be made public.2 Vulnerabilities that will not be made public do not receive CVE IDs. 

What counts as "public"? I would argue releasing updates counts as public, even if they are closed source (and especially if they are open source). No CVE's definitely puts customers at risk as they may not be updating (things break), and attackers will be able to find these flaws whether or not they have CVEs (using bindiff/etc.). 

On Fri, Apr 7, 2017 at 1:13 PM, jericho <jericho@attrition.org> wrote:
Caught this via Twitter. Thoughts?



Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: April 07, 2017