OBB and CVE

Your experience of helping website owners
Post Reply
metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am
OBB and CVE

Post by metamorfosec_id » Fri Jun 22, 2018 7:50 am

Dear OBB community,

Recently I found some XSS issues on websites, and I conclude that the problem is the software that currently used. So, I reported it to software developer directly and he created issue trackers on GitHub Page. I informed him that the public disclosure is at least 30 days as stated on OBB. Then, I requested for two CVE-IDs, and published only in hours (first CVE-ID) and next day for second CVE-ID. The developer then asked me why dislosed so soon, only 3 days, not 30 days? He wants to provide enough time for users to update to newer version before disclosed.

I rather dilemma to explain it because OBB and CVE have different policy. OBB will disclose vulnerability maximum on Day 90, or in Day 30 if vulnerability has fixed. On the other hand, CVE will assign CVE-ID and published it soon if any public reference found (in this case is GitHub Page). If no public reference found, it will be reserved first until public reference added. For your information, CVE team is proactively seek for any public reference, even if we do not put any public reference when requesting the CVE-ID.

Anyone here has same or similar situation in the past? And how do you address it?

secuninja
Posts:508
Joined:Fri Apr 28, 2017 2:34 pm

Re: OBB and CVE

Post by secuninja » Fri Jun 22, 2018 11:58 am

sorry, i did not completely understand was it disclosed after three days by CVE or by OBB?

metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am

Re: OBB and CVE

Post by metamorfosec_id » Fri Jun 22, 2018 9:19 pm

Three days by CVE (no POC included). And for additional information, the vulnerability has already fixed before disclosed by CVE.

secuninja
Posts:508
Joined:Fri Apr 28, 2017 2:34 pm

Re: OBB and CVE

Post by secuninja » Sat Jun 23, 2018 6:44 am

hmm... okay so when CVE discloses it and it's already fixed wheres the problem?

metamorfosec_id
Posts:269
Joined:Mon Apr 30, 2018 7:35 am

Re: OBB and CVE

Post by metamorfosec_id » Sun Jun 24, 2018 10:18 am

As I mentioned before, the developer wants to provide enough time for users to update to newer version before disclosed, event the vulnerability has fixed. And 3 days are too short because I "promised" him to disclose at least 30 days.

I think the case has solved because there are official announcements on the forum. And posts on GitHub I think cannot be considered "official" for this case.

Lessons learned (in case by case basis):
  • For manual installed software: Wait until at least 30 days to request CVE-ID. This period provides developer to fix the issue and publish official announcement and provides users to update to newer version.
  • For hosted software: It does not matter to request CVE-ID as soon as possible if there is an official announcement. It would be better if the issue has already fixed.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests