|
|
Thoughts: Vulnerabilities-in-a-Service (ViaS) might be CVE worthy if: 1. They can and should be scanned or audited for 2. The user of the service can take a discrete action to remove the vulnerability, or to have it removed 3. The same ViaS is available from (exploitable in) multiple SPs, possibly including multiple LoBs in the same company 4. Plus whatever we said 6 months ago; I'm in transit so the archives are not readily accessible Tom Millar, US-CERT Sent from +1-202-631-1915 https://www.us-cert.gov From: owner-cve-editorial-board-list@lists.mitre.org on behalf of Andy Balinsky (balinsky) Sent: Wednesday, September 06, 2017 2:24:06 PM To: kseifried@redhat.com Cc: cve-editorial-board-list Subject: Re: CVE For Services Cisco has many services, regularly issues advisories on them, and does not pay anyone any bounties. Cisco doesn't really distinguish between a shipped product and a service. Many of our products come with management services (e.g. Meraki routers that are
entirely dependent on cloud management). Many of our services include a physical piece of hardware as a data collector, or are services that use physical installed products as their data sources, their management targets.
I agree that services CVEs for third party researchers are a much more murky area (how do they legally do testing, how do they confirm, what do they use for version numbers, etc.), but for vendors who have open disclosure policies, I would argue
that issuing CVEs should be an option for them.
Andy
|