[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Symantec / SecurityFocus CVE reference problems

Board,
SecurityFocus is owned by Symantec, who is a CNA. SecurityFocus manages the 'BID' database. Many years back the managers were responsive to feedback on the VIM mail list, and occasionally to direct email. The last few years, they have become completely unresponsive to any issues. In this case, they are using the wrong CVE IDs for some of their entries, due to typos. This would normally be no issue if they were prompt in fixing them.
As a recent example, I contacted them on 2017-04-05 regarding a typo CVE in the title of BID 97400 [1]. To this day they have not corrected it. I contacted them yesterday regarding a similar issue in BID 97590 [2], where they are using CVE-2017-7126 instead of the referenced vendor advisory which uses CVE-2017-7216 [3].
Since Symantec is a CNA, they must be more prudent in correcting such errors. Their lack of replies to pointing out such issues for several years now make me believe that MITRE needs to reach out to them and impress upon them the significance of maintaining accurate CVE ID references. 

Brian

[1] http://www.securityfocus.com/bid/97400
[2] http://www.securityfocus.com/bid/97590
[3] Originally Palo Alto used both 2017-7126 and 2017-7216 in different
    places, but were very quick to fix it when I contacted them.
Page Last Updated or Reviewed: April 25, 2017