[VIM] handling site-specific vuln reports
amanion at cert.org
Thu Dec 17 19:05:41 UTC 2009
On 2009-12-11 19:46, Steven M. Christey wrote:
> CVE periodically gets reservation requests for site-specific issues. I
> want to redirect the requesters somewhere else, since CVE doesn't cover
> these. xssed.com hasn't updated in ages, but sla.ckers.org is as active
> as ever. Then there's Bugtraq and Full-Disclosure. Any other
(Replied to Steve privately already...)
While CERT by no means keeps up with every public vul anymore (we used
to at least catalog them internally), we do accept private reports and
will at least try to get the report to the vendor.
We consider a web site to be software (even if it is single-instance
software) and we'll try to notify the owner ("vendor") of the site.
Sometimes what appears to be a site-specific issue is actually in some
more general component (like a search engine), then that becomes a more
typical product vulnerability.
That said, we don't have the resources to coordinate all the XSS and
CSRFs that turn up, so we may have to be selective about which reports
we spend time on.
More information about the VIM