Re: Re: Discussion: information leakage from server and client software - CVE/hardening/other?

[Kurt Seifried <kseifried () redhat com>]

On 07/10/14 02:35 PM, cve-assign () mitre org wrote:
> The main cases in which a CVE could exist are:
>
> 1. The author of the software states that the information-leakage
> behavior was a violation of the product's security policy.
>
> 2. The information-leakage behavior directly contradicts the product's
> documentation stating that the specific information leakage doesn't
> occur.
>
> 3. The author of the software makes no statement, but all (or nearly
> all) similar products follow a standard practice in which the
> information-leakage behavior doesn't occur. For example: common web
> browsers don't send a file: URL in a Referer header.
>
> 4. The author of the software makes no statement, and disclosing the
> information results in no benefit to the user, and the information
> would not be useful to the vendor in further developing the product or
> complying with restrictions on the data that the vendor offers in
> conjunction with the product.

So for example the
http://boingboing.net/2014/10/07/adobe-ebook-drm-secretly-build.html
article would indicate to me that this is CVE worthy under #4 for
example. I also assume that "makes no statement" means the company
actually has to make it easily viewed/available, e.g. not buried in some
huge 60 screen long EULA/TOS, or in some random source code file ("# and
here is where we send information back").


-- 
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

Attachment: signature.asc
Description: OpenPGP digital signature