[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Whats worth a CVE?
From:       Kurt Seifried <kseifried () redhat ! com>
Date:       2013-01-22 1:31:02
Message-ID: 50FDEBD6.7040502 () redhat ! com
[Download RAW message or body]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/21/2013 02:17 PM, Eitan Adler wrote:
> On 21 January 2013 14:50, Scott Herbert
> <scott.a.herbert@googlemail.com> wrote:
>> Well the subject sum's the question up really, are their any
>> fixed guidelines for what counts as a CVE and what doesn't? Or is
>> it just up to the CVE pool manager as to what they feel is of
>> note?
> 
> CVEs are given to vulnerabilities. A detailed explanation of what
> these are can be found here: 
> https://cve.mitre.org/about/terminology.html
> 
> 

Further note, for example:

A default account/password in a device or service. Is this a security
issue or not? Different scenarios have different outcomes:

1) The default account/password is well documented. The services
forces you to change the password when first run and will refuse to
run until you do change the password. Generally not considered a vuln.

2) The default account/password is well documented. The services does
not force you to change the password when first run. Generally not
considered a vuln as it falls into the "don't do stupid things" class
of issues.

3) The default account/password is not well documented or not
documented at all but can be changed. Generally this would be
considered a vulnerability.

4) The default account/password is not well documented or not
documented at all and can NOT be changed. Generally this would be
considered a vulnerability.

Similar things for other things, is it a security vulnerability or
security hardening, or not a security issue at all? It definitely gets
fuzzy/messy sometimes.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ/evWAAoJEBYNRVNeJnmTQOgP/3E8ssvj1W3tLrgwmd8XXsaD
2U4V6ZueEr0CyIxqlHXHDXBWgtXp2/LYt1ZQg6TkWALIUaj8kuptUd/DLO37+A2b
bNEcpYXkTuRUgOqf80wXZJ7a6kxUiLCRHh1nIFsqLiiJ/LUG06M2bhJWoFeDVg7f
BUM087WJeCGqsNyUAz21UKlqoGhuhELP0Uom7bmKy2P2q0btYqdQCI9Tlst0QP+3
GsoMfUTSa5Ep8E3r7vIGwP6hYA8n/TLrB1Ze95f3ttsqEfWBdXfMYN01SYYw/khn
aaSvPFK3oHwvb3gc/2fE9sTq8dgoSPKBh09jqbvVPw/NaOiipbOnIMk9eCNL0iNl
0mHfD9hsS9h1XFiQmZbtmkPWQCjXIlL42llRjJgYAxGnm8QIH3LWqcJdrOALpCGa
mawi39ItKsQuvLLPr8Jp7LoyeiFRBUKNMLO/QEGWG8rb7sleR3n+VifBqxenNZPP
PJTWW1F5mm1vtB2+zLbz0tfR+7YS0t4j7iSrzg50veVum5Mn/kc+zh41Nvtr5yvd
9F37Yfg1AMsoWEnw4ceT5SJs+UBsKQagD9E3EZPXc8W58l6bnTvJWbx4G7Cmsc9h
JHUOF0sQGofKiFPTmY8jYXLoGoN5pYwHB/xyosdo9Pm1MgjUASK05tfTc/cemK7e
BIo4RQ3BMeW7T/HlYZaz
=50LH
-----END PGP SIGNATURE-----
[prev in list] [next in list] [prev in thread] [next in thread]