[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE for hosted services



I was having some internal discussions with our Incident Response team (PSIRT) at Cisco, and the issue came up of whether there are either any industry best practices, or Mitre policies regarding CVEs for hosted services. 

The situation is where a software service is hosted by a vendor on servers owned by the vendor. A vulnerability is discovered internally by the vendor. It is fixed. No action is required by the customer. She just starts using the fixed version next time she visits that webpage. 
So, should the vendor issue an advisory about it? And should a CVE be generated?

What are other vendors doing in this case? (Maybe this list isn't the best place to be discussing this).

Andy Balinsky

Page Last Updated or Reviewed: February 23, 2017