[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: An example of hardware/software vulns - GPUs

On 7/13/17 11:24 AM, Millar, Thomas wrote:

I think my main goal in having a category of hardware vulnerabilities
covered by CVE would merely be to ensure that manufacturing or design
issues that cannot be addressed with complete confidence by a
software change are enumerated so that security teams can know they
have a problem that will require a shipping invoice to properly fix,
so to speak.
Yes -- if I have to replace hardware/silicon to fully remove a 
vulnerability, that should get a CVE ID.  Or if instead of replacing I 
keep the (strictly) vulnerable hardware but apply microcode/firmware 
that mitigates the vulnerability -- CVE ID.

I believe the current counting rules allow this, Kurt, do you disagree? 
 Do we need to change the counting rules?

 - Art

Page Last Updated or Reviewed: July 13, 2017