[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE For Services

A recent and really significant one: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/

On Wed, Sep 6, 2017 at 8:33 AM, Beverly Finch <beverlyfinch@lenovo.com> wrote:
Can someone give a few examples of a service vulnerability?


Beverly M Finch, PMP
PSIRT Program Manager
Product Security Office

7001 Development Drive
Office 3N-C1
Morrisville, NC  27560

+1 919 294 5873

Twitter | Facebook | Instagram | Blogs | Forums

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion
Sent: Wednesday, September 6, 2017 9:53 AM
To: Millar, Thomas; Andy Balinsky (balinsky); kseifried@redhat.com
Cc: cve-editorial-board-list
Subject: Re: CVE For Services

On 2017-09-06 09:35, Millar, Thomas wrote:

> 4. Plus whatever we said 6 months ago; I'm in transit so the archives are not readily accessible

My recollection, human memory being what it is, was that it would be permissible to assign CVE IDs to service vulnerabilities, but that we didn't expect anything near comprehensive coverage, for reasons in this thread and others.  Also we didn't expect CVE or other CNAs to make a concerted effort to track service vulnerabilities (although, we didn't finish the bug bounty provider discussion).

About the legality of testing services:  While interesting, not directly CVE's problem.  Confirmation/evidence collection of service vulnerabilities will be much harder.

 - Art


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: September 06, 2017