|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Vulnerability discovery credits, vendor acknoweldgement, and CVE
* Steven M. Christey (coley@LINUS.MITRE.ORG) [000921 16:33]: > > While we're on the topic, a neutral third party who is part of the > disclosure between discoverer and vendor will be able to minimize the > "he said, she said" finger-pointing that goes on when the discoverer > claims that the vendor didn't respond, and the vendor claims that they > were never notified. This in turn could help make it more clear when > a vendor is aware of, and has fixed, the vulnerability. 60% of all > active CVE candidates don't have any concrete vendor acknowledgement, > at least since I started recording it for CAN-1999-0671 and later. > The precentage is probably higher if you consider the 300+ candidates > still remaining from the draft CVE. I've had to delve into logs or > readme's to find some acknowledgement. Thats exactly what we are offering to do with the VulnHelp service. > - Steve -- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
|
||||
