|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: HP's policy on CVE assignments
- To: Kurt Seifried <kseifried@redhat.com>
- Subject: Re: HP's policy on CVE assignments
- From: jericho <jericho@attrition.org>
- Date: Fri, 7 Apr 2017 14:27:30 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;
- Cc: CVE Editorial Board <cve-editorial-board-list@lists.mitre.org>
- Delivery-date: Fri Apr 7 15:47:46 2017
- Importance: high
- In-reply-to: <CANO=Ty2Z1SZhfQt0iNiXiO+roMaA6KPp+fO0d2ggntedWfc9dQ@mail.gmail.com>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <alpine.LNX.2.00.1704071412390.19881@forced.attrition.org> <CANO=Ty2Z1SZhfQt0iNiXiO+roMaA6KPp+fO0d2ggntedWfc9dQ@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Fri, 7 Apr 2017, Kurt Seifried wrote: : What counts as "public"? I would argue releasing updates counts as public, : even if they are closed source (and especially if they are open source). No Agreed. Over the last ten years, we have seen a big leap in reversing patches, now to the point where many companies have automated setups to do so. They are reliable and can pull out the vulnerable files and functions, sometimes more details. As such, I don't see a closed source patch as being "no public details" in today's age. Simply because technology has risen to address that specifically. : CVE's definitely puts customers at risk as they may not be updating : (things break), and attackers will be able to find these flaws whether : or not they have CVEs (using bindiff/etc.). Agreed. Many organizations update based on the perceived need to, not just because "hey look, shiny new version!" As such, not releasing details in a changelog or advisory is negligent to some. .b
- References:
- HP's policy on CVE assignments
- From: jericho <jericho@attrition.org>
- Re: HP's policy on CVE assignments
- From: Kurt Seifried <kseifried@redhat.com>
- HP's policy on CVE assignments
- Prev by Date: Re: HP's policy on CVE assignments
- Next by Date: Re: HP's policy on CVE assignments
- Previous by thread: Re: HP's policy on CVE assignments
- Next by thread: Re: HP's policy on CVE assignments
- Index(es):