Re: Vulnerability discovery credits, vendor acknoweldgement, and CVE
* Steven M. Christey (coley@LINUS.MITRE.ORG) [000921 16:33]:
> While we're on the topic, a neutral third party who is part of the
> disclosure between discoverer and vendor will be able to minimize the
> "he said, she said" finger-pointing that goes on when the discoverer
> claims that the vendor didn't respond, and the vendor claims that they
> were never notified. This in turn could help make it more clear when
> a vendor is aware of, and has fixed, the vulnerability. 60% of all
> active CVE candidates don't have any concrete vendor acknowledgement,
> at least since I started recording it for CAN-1999-0671 and later.
> The precentage is probably higher if you consider the 300+ candidates
> still remaining from the draft CVE. I've had to delve into logs or
> readme's to find some acknowledgement.
Thats exactly what we are offering to do with the VulnHelp service.
> - Steve
Si vis pacem, para bellum