What to do about CVE numbers

Posted Oct 7, 2019 7:22 UTC (Mon) by nim-nim (subscriber, #34454)
In reply to: What to do about CVE numbers by tlamp
Parent article: What to do about CVE numbers

CVEs are a wonderful tool to measure the robustness and efficiency of your software supply chain.

S* happens, and software has bugs. So you *will* get CVEs. If your software suppliers are unable to report the CVEs fixed in each delivery, they are *lying* (or incompetent suppliers that should be replaced). If they *are* reporting the fixed CVEs, you get a direct measure of the whole software supply bugfixing velocity (so if unit A is still fixing years old CVes while unit B is fixing last week’s CVEs, you know which one has a problem).

I’m not sure if people realize how much that helps cutting the crap and avoiding kilometers of powerpoint obfuscation.

What to do about CVE numbers

Posted Oct 7, 2019 13:50 UTC (Mon) by imMute (guest, #96323) [Link] (1 responses)

>so if unit A is still fixing years old CVes while unit B is fixing last week’s CVEs, you know which one has a problem

I'm not sure I do... Age [of a CVE] is not the only indicator of priority. Maybe Unit A has fixed all the "critical" CVEs and are now working their way through the "probably not even exploitable" CVEs from years ago.

What to do about CVE numbers

Posted Oct 8, 2019 8:00 UTC (Tue) by nim-nim (subscriber, #34454) [Link]

Age [of a CVE] is not a perfect indicator but the best is the enemy of good and the IT industry in general is in such a woeful state it’s more than good enough to highlight companies that don’t really care about (product) bugfixing once a product is out of the door. Including companies which core business is IT security BTW.