Symantec / SecurityFocus CVE reference problems

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Symantec / SecurityFocus CVE reference problems

jericho
Board,

SecurityFocus is owned by Symantec, who is a CNA. SecurityFocus manages
the 'BID' database. Many years back the managers were responsive to
feedback on the VIM mail list, and occasionally to direct email. The last
few years, they have become completely unresponsive to any issues. In this
case, they are using the wrong CVE IDs for some of their entries, due to
typos. This would normally be no issue if they were prompt in fixing them.

As a recent example, I contacted them on 2017-04-05 regarding a typo CVE
in the title of BID 97400 [1]. To this day they have not corrected it. I
contacted them yesterday regarding a similar issue in BID 97590 [2], where
they are using CVE-2017-7126 instead of the referenced vendor advisory
which uses CVE-2017-7216 [3].

Since Symantec is a CNA, they must be more prudent in correcting such
errors. Their lack of replies to pointing out such issues for several
years now make me believe that MITRE needs to reach out to them and
impress upon them the significance of maintaining accurate CVE ID
references.

Brian

[1] http://www.securityfocus.com/bid/97400
[2] http://www.securityfocus.com/bid/97590
[3] Originally Palo Alto used both 2017-7126 and 2017-7216 in different
     places, but were very quick to fix it when I contacted them.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Symantec / SecurityFocus CVE reference problems

Adinolfi, Daniel R

Folks,

 

We will reach out to our contact in the Symantec PSIRT and learn more about this from their end.

 

Thanks.

 

-Dan

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Saturday, April 22, 2017 at 23:29
To: cve-editorial-board-list <[hidden email]>
Subject: Symantec / SecurityFocus CVE reference problems

 

Board,

 

SecurityFocus is owned by Symantec, who is a CNA. SecurityFocus manages

the 'BID' database. Many years back the managers were responsive to

feedback on the VIM mail list, and occasionally to direct email. The last

few years, they have become completely unresponsive to any issues. In this

case, they are using the wrong CVE IDs for some of their entries, due to

typos. This would normally be no issue if they were prompt in fixing them.

 

As a recent example, I contacted them on 2017-04-05 regarding a typo CVE

in the title of BID 97400 [1]. To this day they have not corrected it. I

contacted them yesterday regarding a similar issue in BID 97590 [2], where

they are using CVE-2017-7126 instead of the referenced vendor advisory

which uses CVE-2017-7216 [3].

 

Since Symantec is a CNA, they must be more prudent in correcting such

errors. Their lack of replies to pointing out such issues for several

years now make me believe that MITRE needs to reach out to them and

impress upon them the significance of maintaining accurate CVE ID

references.

 

Brian

 

[3] Originally Palo Alto used both 2017-7126 and 2017-7216 in different

     places, but were very quick to fix it when I contacted them.

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Symantec / SecurityFocus CVE reference problems

Adinolfi, Daniel R
In reply to this post by jericho

All,

 

Our CNA contact at Symantec will reach out to the folks running the BID database and see that these issues are fixed.

 

He also suggested that the team should be responsive to messages sent to [hidden email]. That is their primary point of contact, and it always has someone watching the queue.

 

Thanks.

 

-Dan

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Saturday, April 22, 2017 at 23:29
To: cve-editorial-board-list <[hidden email]>
Subject: Symantec / SecurityFocus CVE reference problems

 

Board,

 

SecurityFocus is owned by Symantec, who is a CNA. SecurityFocus manages

the 'BID' database. Many years back the managers were responsive to

feedback on the VIM mail list, and occasionally to direct email. The last

few years, they have become completely unresponsive to any issues. In this

case, they are using the wrong CVE IDs for some of their entries, due to

typos. This would normally be no issue if they were prompt in fixing them.

 

As a recent example, I contacted them on 2017-04-05 regarding a typo CVE

in the title of BID 97400 [1]. To this day they have not corrected it. I

contacted them yesterday regarding a similar issue in BID 97590 [2], where

they are using CVE-2017-7126 instead of the referenced vendor advisory

which uses CVE-2017-7216 [3].

 

Since Symantec is a CNA, they must be more prudent in correcting such

errors. Their lack of replies to pointing out such issues for several

years now make me believe that MITRE needs to reach out to them and

impress upon them the significance of maintaining accurate CVE ID

references.

 

Brian

 

[3] Originally Palo Alto used both 2017-7126 and 2017-7216 in different

     places, but were very quick to fix it when I contacted them.

 

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RE: [EXT] Re: Symantec / SecurityFocus CVE reference problems

Mike Prosser

Hi Dan, all

 

That would be secure at Symantec.com vice security at….

 

secure “at” is  our PSIRT managed mailbox with more eyes watching it.  If anyone has a security-related question on any of our issues, that’s the best contact to ensure a prompt response.

 

Regards,

 

-Mike Prosser

Symantec Software Security Group

PSIRT

 

From: [hidden email] [mailto:[hidden email]] On Behalf Of Adinolfi, Daniel R
Sent: Tuesday, April 25, 2017 9:02 AM
To: cve-editorial-board-list <[hidden email]>
Subject: [EXT] Re: Symantec / SecurityFocus CVE reference problems

 

All,

 

Our CNA contact at Symantec will reach out to the folks running the BID database and see that these issues are fixed.

 

He also suggested that the team should be responsive to messages sent to [hidden email]. That is their primary point of contact, and it always has someone watching the queue.

 

Thanks.

 

-Dan

 

From: <[hidden email]> on behalf of jericho <[hidden email]>
Date: Saturday, April 22, 2017 at 23:29
To: cve-editorial-board-list <[hidden email]>
Subject: Symantec / SecurityFocus CVE reference problems

 

Board,

 

SecurityFocus is owned by Symantec, who is a CNA. SecurityFocus manages

the 'BID' database. Many years back the managers were responsive to

feedback on the VIM mail list, and occasionally to direct email. The last

few years, they have become completely unresponsive to any issues. In this

case, they are using the wrong CVE IDs for some of their entries, due to

typos. This would normally be no issue if they were prompt in fixing them.

 

As a recent example, I contacted them on 2017-04-05 regarding a typo CVE

in the title of BID 97400 [1]. To this day they have not corrected it. I

contacted them yesterday regarding a similar issue in BID 97590 [2], where

they are using CVE-2017-7126 instead of the referenced vendor advisory

which uses CVE-2017-7216 [3].

 

Since Symantec is a CNA, they must be more prudent in correcting such

errors. Their lack of replies to pointing out such issues for several

years now make me believe that MITRE needs to reach out to them and

impress upon them the significance of maintaining accurate CVE ID

references.

 

Brian

 

[3] Originally Palo Alto used both 2017-7126 and 2017-7216 in different

     places, but were very quick to fix it when I contacted them.

 

Loading...