Embed Notice

HTML Code

<blockquote style="position: relative; padding-left: 55px;"><section><a href="https://infosec.exchange/users/wdormann/statuses/114279622359865712">Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 21:21:28 JST</a><a href="https://infosec.exchange/@wdormann" title="wdormann@infosec.exchange"><img src="https://gnusocial.jp/avatar/232810-48-20240116185707.webp" width="48" height="48" alt="Will Dormann" style="position: absolute; left: 0; top: 0;">Will Dormann</a><div><a href="https://infosec.exchange/@wdormann/114279572208955935" rel="in-reply-to">in reply to</a></div></section><article><p>There's this magical thinking that the CVE ID is what gives attackers the ability to compromise systems.</p><p>If you say that your software is vulnerable but fail to assign CVEs, you're only helping the attackers.</p><p>I remember the time that Microsoft got mad at me for "leaking" one of their CVEs to the public before the update was available. As in their world, CVE IDs were for Microsoft updates. Not for identifying vulnerabilities. 🤦♂️</p></article><footer><a rel="bookmark" href="https://gnusocial.jp/conversation/4844107#notice-9486911">In conversation</a><time datetime="2025-04-04T21:21:28+09:00" title="Friday, 04-Apr-2025 21:21:28 JST">about 4 days ago</time> <span>from <span><a href="https://infosec.exchange/@wdormann/114279622359865712" rel="external" title="Sent from infosec.exchange via ActivityPub">infosec.exchange</a></span></span><a href="https://infosec.exchange/@wdormann/114279622359865712">permalink</a><h4>Attachments</h4><ol><li><label><a rel="external" href="https://gnusocial.jp/attachment/4413850">CrushFTP 11.0.0 to 11.3.0 are vulnerable. Update to 11.3.1+ immediately.#CrushFTP 10.0.0 to 10.8.3 are vulnerable. Update to 10.8.4+ immediately.#</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/610/521/759/845/original/8f190a43dddeb82b.jpeg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/610/521/759/845/original/8f190a43dddeb82b.jpeg</a></li><li><label><a rel="external" href="https://gnusocial.jp/attachment/4413851">In a blog post published on Wednesday, Outpost24 clarified that it reached out to MITRE for a CVE on March 13 and the plan was to keep details of the vulnerability under wraps for 90 days to avoid malicious exploitation.</a></label><br><a href="https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/610/521/686/617/original/6d2aabcc66a7daea.jpeg" rel="external">https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/610/521/686/617/original/6d2aabcc66a7daea.jpeg</a></li></ol></footer></blockquote>

Corresponding Notice

Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Friday, 04-Apr-2025 21:21:28 JST Will Dormann
in reply to
There's this magical thinking that the CVE ID is what gives attackers the ability to compromise systems.
If you say that your software is vulnerable but fail to assign CVEs, you're only helping the attackers.
I remember the time that Microsoft got mad at me for "leaking" one of their CVEs to the public before the update was available. As in their world, CVE IDs were for Microsoft updates. Not for identifying vulnerabilities. 🤦♂️
In conversation4 days ago from infosec.exchangepermalink
Attachments
1. CrushFTP 11.0.0 to 11.3.0 are vulnerable. Update to 11.3.1+ immediately.# CrushFTP 10.0.0 to 10.8.3 are vulnerable. Update to 10.8.4+ immediately.#
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/610/521/759/845/original/8f190a43dddeb82b.jpeg
2. In a blog post published on Wednesday, Outpost24 clarified that it reached out to MITRE for a CVE on March 13 and the plan was to keep details of the vulnerability under wraps for 90 days to avoid malicious exploitation.
  https://media.infosec.exchange/infosec.exchange/media_attachments/files/114/279/610/521/686/617/original/6d2aabcc66a7daea.jpeg

Public

Embed Notice

HTML Code

Corresponding Notice