再保险:CVE托管服务

在星期五,2017-02-24在北京时间-0700年,Kurt Seifried写道:>在星期五,2月24日,2017年在34点,帕斯卡莫尼耶> < pmeunier@cerias.purdue.edu > >中写道:> > >在这种情况下你谈论事件id,而不是CVE id, > > > >第二和第三的因为可以相同的核心漏洞> >,> >就严重修补或严重保护。此外,两个相似的> > > >不一定。他们可以完全独立的事情/服务>(《我>不知道cloudflare内部如何运作,它可能是一个>单片>二进制据我所知)。>问题是我们不知道,除非你建议进一步CVE的供应商积极帮助下任务——在这种情况下,他们是我们嗯,代理,到问题。更好的如果记者和供应商一起工作,但我不认为我们可以指望。我依靠别人的建议(意译)CVE IDs时给予适合这种情况下,没有试图系统地覆盖整个空间,使这成为“可选的范围”。对我来说是有意义的只有当漏洞可以被识别软件运行的地方,不仅仅是当任何安全问题被发现。> > > > >发现在同一时间可以是不同的你> > > >漏洞需要2 cf正确。还是我们不关心了,> > > >我记得看到一个CVE多个定义模糊> >漏洞?> > > >对每一个事件,没有远程黑盒子内能见度> > > >提供服务,我们几乎不知道> >的漏洞,和我们不能ID。 We can only ID > > the > > findings of problems. Although giving IDs to incidents and > > findings is > > very useful, that's outside the scope of the CVE. It's like we > > have a > > hammer (CVE IDs) and everything looks like the proverbial nail now. > > > > Ideally the provider would help with CVE assignment (much like > cloudflare > wrote a large blog entry) so that it is done correctly. A lot of these > providers care about being seen as security conscious/responsible, > it's a > major competitive edge. > > > > > > I suggest the creation of something else to identify incident, > > report or > > finding IDs. > > > > Pascal > > > > > > On Fri, 2017-02-24 at 10:11 -0700, Kurt Seifried wrote: > > > For example someone finds another memory disclosure in > > > CloudFlare, and > > then > > > another person finds a third one. Are we talking about A, B or C? > > > CLoudBleed 1? The thing after CloudBleed? If they had CVE's or an > > > equivalent identifier it would be much easier. Especially as I > > > have to > > now > > > interact with other vendors (Hey Atlassian, do you deliver JIRA > > > via > > > CloudFlare at all and are you affected by CloudBleed?). > > > > > > Especially as the data leaked from CloudBleed is now in all sorts > > > of data > > > caches around the internet (search providers, maybe archive.org, > > > etc.), > > so > > > we'll need to talk about this off and on for potentially the next > > > few > > > years. > > > > > > On Fri, Feb 24, 2017 at 9:03 AM, Millar, Thomas < > > Thomas.Millar@hq.dhs.gov> > > > wrote: > > > > > > > How do I use a CVE for a service vuln to check if my > > > > environment was > > > > affected and if so, that my ops have applied the proper > > > > remedies? > > > > > > > > > > > > > > > > Tom Millar, US-CERT > > > > > > > > Sent from +1-202-631-1915 <(202)%20631-1915> > > > >https://www.us-cert.gov> > > > > > > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > > > *:* owner-cve-editorial-board-list@lists.mitre.org代表> > > > > > Kurt > > > > Seifried > > > > *发送:*周五,2月24日2017 3:44:39点> > > > *:*马尼恩艺术> > > > * Cc: *耶利哥;展位,哈罗德(美联储);cve-editorial-board-list > > > > *主题:* Re: CVE托管服务> > > > > > > >所以啊我就离开这个例子:> > > > > > > >https://www.google.ca/search?q=cloudflare + cloudbleed> > > > > > > >我知道例如CloudSecurityAlliance方面我现在需要> > > > > > > >强制重置所有密码我们所有的网站,看看> > > > > > > > > >第三方我们做身份验证(例如FaceBook、Linkedin),看看他们> > > > > > > >影响(不是有很多我们能做的除了通知> > > >人)。> > > > > > > >在星期四,2月23日,2017年在36点,马尼恩艺术< amanion@cert.org > > > > >中写道:> > > > > > > > > 2017-02-23 19:05,耶利哥写道:> > > > > > > > > > >https://bugs.chromium.org/p/project-zero/issues/detail?id=1139> > > > > > > > > > > >哈罗德,你如何写一个CVE-ish描述,> > > > > > > > > > >上下文> > > > > >的CVE特定站点问题?> >服务和信息披露> > > > > >是比较容易的部分。然后呢?你还提到一些服务> > > > > > > > > > > > > >使用Cloudflare吗?一些企业可能知道,个人> > > > > > > >不(例如:> > > > > > 1密码是托管在它)。你放下什么日期范围> > > > > > > >这吗?> > > > > > > > > > >你知道修复日期,开始日期。这可以追溯到> > > > > > > > > > > > > >问题使得这些条目有用公司试图> > > > > >确定风险。> > > > > > > > > >不回答你的问题,但是:> > > > > > > > > >这个问题应该得到CVE ID所以世界可以谈论它> > > > > > > > > >有信心他们谈论相同的“它”。The > > > >> description might > > > >> be tricky, but the description is primarily to > > > >> catalog/de-duplicate, > > not > > > >> to help assess risk. > > > >> > > > >> CVE is lower layer of infrastructure. Someone else (NVD, > > > >> CVSS, RBS, > > > >> CERT, a CloudFlare customer) can add to the severity/risk > > > >> assessment. > > > >> > > > >> - Art > > > >> > > > > > > > > > > > > > > > > -- > > > > > > > > Kurt Seifried -- Red Hat -- Product Security -- Cloud > > > > PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > > > > Red Hat Product Security contact: secalert@redhat.com > > > > > > > > > > > > > > > > > > > > >