Re: CVE's for private/"Secret" issues

To: jericho <jericho@attrition.org>
Subject: Re: CVE's for private/"Secret" issues
From: Kurt Seifried <kseifried@redhat.com>
Date: Thu, 19 Nov 2015 10:58:53 -0700
Authentication-Results: spf=none (sender IP is 129.83.29.2)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=redhat.com;
CC: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Delivery-Date: Fri Nov 20 09:40:28 2015
In-Reply-To: <alpine.LNX.2.00.1511191116060.10220@forced.attrition.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CANO=Ty2_RSgjozk=_w11=MRjTcYnw-TDD3XkjiooVGtUqFSg_A@mail.gmail.com> <alpine.LNX.2.00.1511191116060.10220@forced.attrition.org>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
SpamDiagnosticOutput: 1:2

On Thu, Nov 19, 2015 at 10:28 AM, jericho <jericho@attrition.org> wrote:

I understand that such a company does not want to give any information
away about their 0day, as that is a huge part of their reputation (and
thus sales). What I don't understand is that when they release a dozen
exploits for already disclosed issue, they don't match them up with a CVE
if one exists. Why tell people "we can exploit a remote WordPress flaw"
that we know is public, but not which one? As a customer I would certainly
want to know that. But, it may be a case where the actual exploit
references it, and the public list of exploits released in that version /
pack do not. Makes sense for existing customers, but seems like missing
out on potential sales as vague descriptions like that are not very
helpful.

Thinking of economic incentives I suspect this is due to the fact that 1) why bother doing the work internally when you can get the community to do it and match it up and 2) by not attaching CVE's they make the work look potentially original as opposed to "this is old and well known".

HP's TippingPoint ZDI does use CVE for a majority of their issues, and
they are also very good about answering questions if there is confusion
over assignments or which issue it tracks to in relation to a vendor
advisory. I routinely email them and appreciate their help when it comes
up.

In general, most that I have spoken to consider CVE assignment as either
no benefit, or possibly hurting them competitively. Further, from their
eyes, what is the value if they have no plans to ever release details, and
never verify it is a duplicate to another disclosure?

Again the economics for the 0 day as attack tools sellers are definitely incentivized against any public disclosure or getting these issues fixed by vendors sadly.

So rather then trying to deal with the 0 day sellers perhaps we get their customers to demand CVE's. Is there any Mitre program/materials to educate consumers (e.g. companies) of the value of CVE?

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

References:
- CVE's for private/"Secret" issues
  - From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE's for private/"Secret" issues
  - From: jericho <jericho@attrition.org>

Prev by Date: RE: CVE's for private/"Secret" issues
Next by Date: Regarding CVE assignments on oss-sec mailing list
Prev by thread: Re: CVE's for private/"Secret" issues
Next by thread: RE: CVE's for private/"Secret" issues
Index(es):
- Date
- Thread