|
|
|||
|
|
|
|||
We have traditionally assigned CVEs only to those products that are “customer-controlled” (i.e., the software is installed locally and is patched/updated by the end user). However, in prior discussions it was pointed out that more and more software is breaking this model. There are obviously more SaaS offerings, but there are also hybrids between the two, and it may not always be clear what software exists locally and what doesn’t.
Going back to number 2 though, maybe we could think of this not in the sense that the end user can take an action to remove it from their system or keep it updated, but maybe in that they could simply stop using the service based on CVEs present, or a complete lack of CVEs at all.
If we have certain CNAs who are interested in reporting ViaS, it’s probably worth putting together a plan and trying it out. Would be happy to discuss in the meeting today.
Regards,
Chris C
From:
owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org]
On Behalf Of
Millar, Thomas
Thoughts:
From:
owner-cve-editorial-board-list@lists.mitre.org
on
behalf of Andy Balinsky (balinsky)
Cisco has many services, regularly issues advisories on them, and does not pay anyone any bounties. Cisco doesn't really distinguish between a shipped product and a service. Many of our products come with management services (e.g. Meraki routers that are entirely dependent on cloud management). Many of our services include a physical piece of hardware as a data collector, or are services that use physical installed products as their data sources, their management targets.
I agree that services CVEs for third party researchers are a much more murky area (how do they legally do testing, how do they confirm, what do they use for version numbers, etc.), but for vendors who have open disclosure policies, I would argue that issuing CVEs should be an option for them.
Andy
|
