CheatSheetSeries icon indicating copy to clipboard operation
CheatSheetSeries copied to clipboard

Published 20 hours ago verified publisher icon OWASP

Update: Vulnerability_Disclosure_Cheat_Sheet

Open JosephAllen opened this issue 2 years ago • 2 comments

What is missing or needs to be updated?

Can we add a diagram showing how the CVE List and NVD are related and how the vendor and/or a coordinator can be a part of the discussion?

Understanding the role of a CNA is very important. Not all vendors are CNA's and some vendors are a CNA for a specific subset of their respective product offerings. a Coordinator or other CNA can fill the gap where a vendor is not a CNA or ignores conversations regarding vulnerabilities like saving credentials to a plain text file named credentials.

My personal opinion is that a disclosure without a CVE is unlikely to reach the widest audience leaving affected parties vulnerable to exposures. The CVE process can be pretty intimidating to someone outside or new to the vulnerability research community.

Reporters/finders should feel empowered to request a CVE before talking to a vendor. This can provide an incentive for a vendor to fix the problem before the vulnerability is published.

How should this be resolved?

Diagram for the following Finder->CVE Request -> Vendor/Coordinator -> CVE List -> NVD -> Threat intel tools and professionals

Cover the role of the CNA and/or coordinator

Empower report/finder

JosephAllen avatar Mar 16 '22 16:03 JosephAllen

Nice idea, @JosephAllen can you prepare a draft for it so we can review?

mackowski avatar Jun 13 '22 10:06 mackowski

@JosephAllen any updates on this? Do you want to work on this?

mackowski avatar Jun 20 '22 17:06 mackowski

old issue without any activity

mackowski avatar Jun 13 '23 12:06 mackowski