I was aware of this site/organization, and attempted earlier this week to try and work out how to report my local ISP ("only" in 21 states!) for (probably¹) storing passwords in plain text. (Note: I'm not a sysadmin, I just watch y'all for the entertainment/education.) to resolve the vulnerability if it impacts their environment. Companies, people, organizations, government agencies review the CVE and based on the severity and environmental factors will work on coordinating fix/no fix, patching, mitigations, workarounds, etc.Multiple vulnerability information providers will also pickup the CVE-ID, some do their own assessments and have their own vulnerability IDs.If the vulnerability meets certain thresholds it will be added to several government, private and public organizations vulnerability listings worldwide with the associated CVE-ID, or relevant vulnerability ID.CVE-ID Published with disclosed information to the public in advance to reduce the public impact of the vulnerability information being disclosed to the public. Depending on the severity of the vulnerability certain governments, organizations and companies will be notified in advance of the actual vulnerability so they can patch, prepare patches, mitigations, workarounds, etc. Vendor will be on the clock to resolve the vulnerability within a reasonable amount of time The CVE will eventually be registered for reservation status in association to the vulnerability and vendor. If the vulnerability is of a severe nature law enforcement may get involved and go through their notification processes in their respective country to notify persons, organizations and companies of the issue. If it is severe enough the government security entity with jurisdiction over the company may take legal actions against said company for negligence or other poor business practices that put their customers at risk. As there have been times to where the vendor did not see the vulnerability as something they were going to fix so a 3rd party may create a fix. They may also coordinate with other government agencies around the world to coordinate analysis, fix status and disclosure scheduling. MITRE/CISA will contact the vendor to get a status update on the resolution of the vulnerability. Submitting for a CVE ID and getting it listed does a few things: Submitted for CVE ID and in the review queue If a vendor is responsive or not is irrelevant and the vulnerability should still be submitted for a CVE ID. This is the stage of responsible disclosure that should also include the next phase.Vendor may or may not have a patch available, they may or may not be working on a fix, there may or may not be a mitigation available. Xday, X being days sense the vendor has been notified of the vulnerability.Most dangerous situation for the vulnerability.Could be actively used for attack campaigns without detection, fix or mitigation. 0day vendor does not know about the vulnerability and there is no patch or mitigation in place.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |