Those of you who report security vulnerabilities, do you also request identifiers for them? Maybe also explain in comments how the overhead is worth it for you. I’m still undecided on the topic.

· · Web · 2 · 3 · 0

The poll has ended. With six votes across Twitter and Mastodon the results are hardly representative. But it seems that a identifier for everything is a rare approach (1 vote). Most respondents create one only for important findings (3 votes) or never (2 votes).

There is also a comment on Mastodon explaining the logic behind this: if it’s a vulnerability that companies should patch ASAP, assigning a identifier improves the chances considerably.

@WPalant @c0debabe CVEs are tool enablers. If there's a CVE, then it massively increases the ability of organizations to use tools to identify instances of the vulnerability and track progress towards mitigation and repair. If it's serious enough that you want organizations to actively find and patch it, it's absolutely worth the effort to create the CVE record.

In orgs who patch CVEs in days, non-CVE patches get applied in months or years because execs go "no CVE, it can't be that bad"

Sign in to participate in the conversation
Infosec Exchange

A Mastodon instance for info/cyber security-minded people.