[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE For Services

On 2017-09-06 09:35, Millar, Thomas wrote:

> 4. Plus whatever we said 6 months ago; I'm in transit so the archives 
> are not readily accessible

My recollection, human memory being what it is, was that it would be 
permissible to assign CVE IDs to service vulnerabilities, but that we 
didn't expect anything near comprehensive coverage, for reasons in this 
thread and others.  Also we didn't expect CVE or other CNAs to make a 
concerted effort to track service vulnerabilities (although, we didn't 
finish the bug bounty provider discussion).

About the legality of testing services:  While interesting, not 
directly CVE's problem.  Confirmation/evidence collection of service 
vulnerabilities will be much harder.

 - Art

Page Last Updated or Reviewed: September 06, 2017