[prev in list] [next in list] [prev in thread] [next in thread]
List: oss-security
Subject: Re: [oss-security] Whats worth a CVE?
From: Kurt Seifried <kseifried () redhat ! com>
Date: 2013-01-22 1:31:02
Message-ID: 50FDEBD6.7040502 () redhat ! com
[Download RAW message or body]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/21/2013 02:17 PM, Eitan Adler wrote:
> On 21 January 2013 14:50, Scott Herbert
> <scott.a.herbert@googlemail.com> wrote:
>> Well the subject sum's the question up really, are their any
>> fixed guidelines for what counts as a CVE and what doesn't? Or is
>> it just up to the CVE pool manager as to what they feel is of
>> note?
>
> CVEs are given to vulnerabilities. A detailed explanation of what
> these are can be found here:
> https://cve.mitre.org/about/terminology.html
>
>
Further note, for example:
A default account/password in a device or service. Is this a security
issue or not? Different scenarios have different outcomes:
1) The default account/password is well documented. The services
forces you to change the password when first run and will refuse to
run until you do change the password. Generally not considered a vuln.
2) The default account/password is well documented. The services does
not force you to change the password when first run. Generally not
considered a vuln as it falls into the "don't do stupid things" class
of issues.
3) The default account/password is not well documented or not
documented at all but can be changed. Generally this would be
considered a vulnerability.
4) The default account/password is not well documented or not
documented at all and can NOT be changed. Generally this would be
considered a vulnerability.
Similar things for other things, is it a security vulnerability or
security hardening, or not a security issue at all? It definitely gets
fuzzy/messy sometimes.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iQIcBAEBAgAGBQJQ/evWAAoJEBYNRVNeJnmTQOgP/3E8ssvj1W3tLrgwmd8XXsaD
2U4V6ZueEr0CyIxqlHXHDXBWgtXp2/LYt1ZQg6TkWALIUaj8kuptUd/DLO37+A2b
bNEcpYXkTuRUgOqf80wXZJ7a6kxUiLCRHh1nIFsqLiiJ/LUG06M2bhJWoFeDVg7f
BUM087WJeCGqsNyUAz21UKlqoGhuhELP0Uom7bmKy2P2q0btYqdQCI9Tlst0QP+3
GsoMfUTSa5Ep8E3r7vIGwP6hYA8n/TLrB1Ze95f3ttsqEfWBdXfMYN01SYYw/khn
aaSvPFK3oHwvb3gc/2fE9sTq8dgoSPKBh09jqbvVPw/NaOiipbOnIMk9eCNL0iNl
0mHfD9hsS9h1XFiQmZbtmkPWQCjXIlL42llRjJgYAxGnm8QIH3LWqcJdrOALpCGa
mawi39ItKsQuvLLPr8Jp7LoyeiFRBUKNMLO/QEGWG8rb7sleR3n+VifBqxenNZPP
PJTWW1F5mm1vtB2+zLbz0tfR+7YS0t4j7iSrzg50veVum5Mn/kc+zh41Nvtr5yvd
9F37Yfg1AMsoWEnw4ceT5SJs+UBsKQagD9E3EZPXc8W58l6bnTvJWbx4G7Cmsc9h
JHUOF0sQGofKiFPTmY8jYXLoGoN5pYwHB/xyosdo9Pm1MgjUASK05tfTc/cemK7e
BIo4RQ3BMeW7T/HlYZaz
=50LH
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic