undefined | Better HN

0 pointsPeterisP2y ago0 comments

I strongly disagree, whatever process we have should work also for 'hostile' vendors and allow for "the community" to verify and assert vulnerabilities even if the vendor denies them, attempts to take legal action, etc.

There are all kinds of options, perhaps national CERTs could override vendor decisions, perhaps something else, but we can't simply assume good-faith behavior from every vendor.

The whole reason why we have various community resources for tracking vulnerabilities was that relying on vendor behavior didn't (and doesn't) work, and it's up to the general public to figure out how force appropriate behavior with e.g. responsible disclosure deadlines, public shaming, etc; and CVEs are part of that mechanism of the community pushing reasonable standards on vendors whether they want it or not - since many vendors often have a clear financial motivation to act against user's interests, downplay and ignore vulnerabilities, and CVEs are for the benefit of system users, not vendors, they are how security researchers can communicate risks to the system users, with or without cooperation from the vendor.

0 comments

lifthrasiir2y ago

CVE numbers are nothing more than identifiers for Common Vulnerabilities and Exposures of all sorts and all severities, so they theoretically do not require any kind of vendor confirmations. However in the reality CVE numbers are seen as some sort of absolute indication of unsafety---which is hardly true---to both security researchers and vendors. So we have two opposite problems now:

1. Security researchers are gaming the CVE system to get more CVE numbers in their portfolio, resulting in frustrated vendors. This is why curl and Linux Kernel went for being CVE numbering authority (CNA) but...

2. Vendors are also trying to reduce the number of CVE numbers assigned for their products, and while not every vendor CNA is that hostile, some do become CNA solely for this purpose.

I believe we should deemphasize the impact of CVE numbers to solve both problems. They should be just identifiers for researchers and users and should not necessarily convey any sort of insecurity---otherwise you will end up with hostile vendors. We can't change the reputation of current CVE numbers however, so I proposed a "provisional" CVE number that hopefully do not convey the same reputation. Hostile vendors can prevent any new (confirmed) CVE number to be assigned, but that's not very much different from today. But we can forbid them from preventing new provisional CVE number to be assigned, assuming an appropriate process update. So we still retain a reliable identifier for CVEs; they can possibly be provisional however.

j / k navigate · click thread line to collapse

0 comments

lifthrasiir2y ago

2. Vendors are also trying to reduce the number of CVE numbers assigned for their products, and while not every vendor CNA is that hostile, some do become CNA solely for this purpose.

j / k navigate · click thread line to collapse