CheatSheetSeries
CheatSheetSeries copied to clipboard
Update: Vulnerability_Disclosure_Cheat_Sheet
What is missing or needs to be updated?
Can we add a diagram showing how the CVE List and NVD are related and how the vendor and/or a coordinator can be a part of the discussion?
Understanding the role of a CNA is very important. Not all vendors are CNA's and some vendors are a CNA for a specific subset of their respective product offerings. a Coordinator or other CNA can fill the gap where a vendor is not a CNA or ignores conversations regarding vulnerabilities like saving credentials to a plain text file named credentials
.
My personal opinion is that a disclosure without a CVE is unlikely to reach the widest audience leaving affected parties vulnerable to exposures. The CVE process can be pretty intimidating to someone outside or new to the vulnerability research community.
Reporters/finders should feel empowered to request a CVE before talking to a vendor. This can provide an incentive for a vendor to fix the problem before the vulnerability is published.
How should this be resolved?
Diagram for the following Finder->CVE Request -> Vendor/Coordinator -> CVE List -> NVD -> Threat intel tools and professionals
Cover the role of the CNA and/or coordinator
Empower report/finder
Nice idea, @JosephAllen can you prepare a draft for it so we can review?
@JosephAllen any updates on this? Do you want to work on this?
old issue without any activity