bEA ๐Ÿ”“Aug 3, 2023

I don't know how to convince vendors that no one cares about CVE's ID, but instead care about its contents.

Every vendor I talk to loves to give pages of CVE IDs like they're the prize or the useful information. They may as well be a UUID sugar. What is the software in question? What is the vulnerability? Why must you bury this information while holding what's essential a tableโ€™s primary key as the jewel of the finding.

Show threadName_Too_LongAug 4, 2023

@bea Aside from making exec-types care, this is the one upside to the whole trend of naming vulns.

Yes, it's stupid. Yes, "$vulnType in $vulnSoftware" is still infinitely better. But at least with "log4shell" I have some idea what we're talking about without memorizing numbers.

Show threadbEA ๐Ÿ”“Aug 4, 2023
@Name_Too_Long that's fixing the wrong angle. If a vuln is big enough to have a name you know enough about it to know the software in question, how bad it is, what the risks are. My vendor tool showing me all the vulns in the infra, I don't care what the CVE ID is, I care about what its in, how exposed it is, what the risk associated is.
Show threadName_Too_Long
@bea Agreed. Like I said, "$vulnType in $vulnSoftware" is infinitely better.
Aug 4, 2023 at 4:47pmWeb