[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services

To: Carsten Eiram <che@riskbasedsecurity.com>
Subject: Re: CVE for hosted services
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Fri, 3 Mar 2017 05:32:10 -0500
Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=cerias.purdue.edu;
Cc: Kurt Seifried <kurt@seifried.org>, Art Manion <amanion@cert.org>, jericho <jericho@attrition.org>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-date: Fri Mar 3 07:47:30 2017
In-reply-to: <CACph5NX=MfqyzXOG9Fyfr5kvuJoODzCGGhH7_EbaEYZ3M+6BAg@mail.gmail.com>
List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <A4305A50-AD19-4025-842E-D89337B8269C@cisco.com> <379DDB8A-F1D2-4E4B-9307-CFBFDB0521F5@intel.com> <8942442A-17E2-4EEB-9943-648F27125AA6@cisco.com> <079d4575-d5ef-be7c-bdfb-f817e625b02e@cert.org> <CANO=Ty052fUY+BUC2zziFeiJ=cBPQWUbQozm-9ymKDkBuxo2Xg@mail.gmail.com> <ad8435b9-ba08-a5ee-25ef-cf314c75e0e5@cert.org> <1487797534.7382.18.camel@cerias.purdue.edu> <alpine.LNX.2.00.1702221518090.19881@forced.attrition.org> <d78f00cb-280e-a674-9264-edf9ed3b4507@cert.org> <CY4PR09MB1255385CC89FEF05C100E83BE6530@CY4PR09MB1255.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702231801000.19881@forced.attrition.org> <4689d956-c638-b3cc-94cb-1e877c5dc64d@cert.org> <MWHPR09MB14858DAA97929742041D5606A1520@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1702241614480.19881@forced.attrition.org> <6a9a57eb-bad0-bea7-a71b-88b059a82969@cert.org> <alpine.LNX.2.00.1702262338220.19881@forced.attrition.org> <cb66ab45-e727-98c2-23ff-d9992f096205@cert.org> <CABqVa3-+6WYhp1T0hq=-1S0=DijN_5uk09mByT5WDr6gATUwEg@mail.gmail.com> <1488299771.10461.25.camel@cerias.purdue.edu> <CACph5NX=MfqyzXOG9Fyfr5kvuJoODzCGGhH7_EbaEYZ3M+6BAg@mail.gmail.com>
Reply-to: <pmeunier@cerias.purdue.edu>
Sender: <owner-cve-editorial-board-list@lists.mitre.org>
Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
Spamdiagnosticoutput: 1:2

On Wed, 2017-03-01 at 07:05 +0100, Carsten Eiram wrote:
> On Tue, Feb 28, 2017 at 5:36 PM, Pascal Meunier 
> <pmeunier@cerias.purdue.edu>
> wrote:
> 
> >
> > Please don't make the CVE into an incident or advisory database just
> > because an ID would be handy.
> 
> 
> ^^ Short, concise, and so incredibly spot on.
> 
> As Brian pointed out earlier, create another C*E project if wanting to
> track these kinds of issues in hosted solutions.

Thanks.  What made the CVE interesting was the intelligence in
identifying and pinpointing root causes.  A broad range of issues
stemming from the absence of security goals or considerations, as in
that product, only needs an advisory.  I feel that using a CVE ID for
this example would be inappropriate because the CVE was meant to be a
finer and more precise tool.  This example is akin to a grand collapse
from rampant incompetence;  there is nothing to analyze in detail and
nothing to do but get indignant about it on Facebook.

Pascal

Follow-Ups:
- Re: CVE for hosted services
  - From: Art Manion <amanion@cert.org>

References:
- Re: CVE for hosted services
  - From: Carsten Eiram <che@riskbasedsecurity.com>

Prev by Date: Re: CVEnew Twitter Feed
Next by Date: clarification / statement on recent CVE abstraction policy changes and more
Previous by thread: Re: CVE for hosted services
Next by thread: Re: CVE for hosted services
Index(es):
- Date
- Thread