RE: CVE for hosted services

["Coffin, Chris" <ccoffin@mitre.org>]

The CVE Team has discussed the inclusion of hosted service 
vulnerabilities within the CVE program on multiple occasions in the 
past. However, a decision was never made on how to proceed. The CVE 
Board call on Feb 22 included a very informative and useful discussion 
regarding this topic, and we feel this topic needs to move forward. 
Based on Harold's valid use case, input from other Board members, and 
the fact that more and more software is being offered via hosted 
services, the CVE Team believes that these vulnerabilities should be 
assigned CVE IDs and we have no objections in supporting these under 
the CVE program.

We believe that there are still decisions to be made on what kinds of 
use cases should be supported, but these can continue to be identified 
and discussed on the CVE Board list. Once we have agreement on a valid 
set of use cases, the CVE Team and Board can decide on any needed rules 
and guidelines. At that point, we believe that the best option would be 
to pilot the idea through one or more of our existing CNAs who also 
maintain hosted services. If anyone has any additional suggestions or 
comments on a way forward then please offer them up. 

To answer the specific questions regarding the determination of risk 
based on CVE, we agree with Art that CVE is the first step in the 
process and should only be responsible for starting the conversation 
(i.e., naming the thing). Other organizations can add additional value 
on top of this, such as risk scores, mitigations, etc.

Regards,

The CVE Team

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org 
[mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
Art Manion
Sent: Thursday, February 23, 2017 9:37 PM
To: jericho <jericho@attrition.org>; Booth, Harold (Fed) 
<harold.booth@nist.gov>
Cc: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE for hosted services

On 2017-02-23 19:05, jericho wrote:

> https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
> 
> Harold, how would you write a CVE-ish description of this, in the 
> context of moving CVE to site-specific issues? The service and info 
> disclosed is the easy part. Then what? Do you also mention some of 
> the 
> services that use Cloudflare? Some businesses may know, where 
> individuals do not (e.g.
> 1Password is hosted on it). What date range do you put down for this? 
> You know the fix date, but not the start date. This goes back to the 
> problem of making such entries useful to companies trying to 
> determine risk.

Not answering your question, but:

This issue should get a CVE ID so the world can talk about it and have 
confidence they're talking about the same "it."  The description might 
be tricky, but the description is primarily to catalog/de-duplicate, 
not to help assess risk.

CVE is lower layer of infrastructure.  Someone else (NVD, CVSS, RBS, 
CERT, a CloudFlare customer) can add to the severity/risk assessment.

 - Art