|
|
I agree with Kent's perspective on this.
In this specific case, the discoverer contacted the CNA and received a case number. However, they were told that the unsupported/obsolete product was outside the scope of the CNA.
> What are the assignment rules for abandonware (or unsupportedware)?
As Kent mentioned, this would be a good Board discussion and we could drive to a specific CNA rule that covers this situation. Does anyone disagree with Kent's perspective?
> Is the vendor CNA primarily responsible, if one exists?
Yes. We should always give them the opportunity and redirect to them first if they exist. If they refuse, then a next available CNA could be contacted. One item for the Board discussion, as the backup CNA how would we verify that this conversation took place.
Chris
-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org ] On Behalf Of Landfield, Kent B
Sent: Thursday, March 30, 2017 9:33 AM
To: Art Manion <amanion@cert.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org >
Subject: Re: CVE-2017-7269 and abandonware
>From my perspective... I would like it to be the vendor CNA if one still exists. If the vendor refuses or is no longer in business, then next up would be to go to a secondary CNA such as you list.
I would hope the vendor would want to issue that themselves even if the product is EOL. There is concern in various circles that this type of acknowledgement from the vendor on an EOL’ed product could cause some liability on that vendor. Abandonware is going to become more and more of a problem with the new emerging device landscape. Who owns the problems they create?
This is actually a great conversation for the Board to have.
---
Kent Landfield
+1.817.637.8026
On 3/30/17, 8:52 AM, "owner-cve-editorial-board-list@lists.mitre.org on behalf of Art Manion" <owner-cve-editorial-board-list@lists.mitre.org on behalf of amanion@cert.org> wrote:
Who issued CVE-2017-7269 (IIS 6 WebDAV vulnerability)?
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7269
What are the assignment rules for abandonware (or unsupportedware)?
Is the vendor CNA primarily responsible, if one exists?
Next, is it up to a more generic CNA like MITRE, DWF, CERT/CC, JPCERT/CC?
- Art