Security experts recalled the key rules for informing about vulnerabilities.
Recently, it became clear that major technology companies Juniper and Ivanti are experiencing serious violations in the process of registering vulnerabilities with the relevant authorities. According to the researchers, these companies do not follow the established rules when handling information about security issues.
Late last year, security researcher Alise Hammond of watchTowr told Juniper representatives about a number of problems in their software. The company conducted its own investigation and asked the expert to delay the publication of information until the shortcomings were corrected.
Later, Hammond said that in the latest Juniper patch package, as many as four vulnerabilities that the researcher described in detail did not receive unique CVE numbers, including a vulnerability related to the lack of authentication.
Ivanti, which deliberately combines several vulnerabilities into a single CVE identifier, is also accused of approximately the same thing. So, one of the researchers reported that the company registered at least five different vulnerabilities under the same identifier.
It is quite possible that in this way both companies tried to artificially underestimate the number of identified vulnerabilities and reduce the number of negative mentions in the media. However, now it seems that the ruse has been revealed. This is unlikely to have a positive impact on their reputation.
Common vulnerability management practices include registering each individual security flaw under its own unique CVE number to make it as easy as possible to identify and manage patches, as well as avoid confusion.
In its defense, Ivanti said that it does this to simplify communication with customers, and Juniper — in the name of security, to give customers time to update to the latest versions of software.
In general, both companies usually release all fixes on time, and there are no obvious violations of the rules. However, the above practice of registering a CVE has been condemned by many security experts.
Adam Pilton of CyberSmart emphasized that while there is no time limit on assigning CVE numbers, it is recommended that you register them as soon as possible and under unique identifiers to ensure that vulnerabilities are resolved in a timely manner and avoid confusion.
He also noted that a delay in reporting vulnerabilities may indeed be necessary to ensure responsible disclosure of information and protect users, but even here you need to feel a fine line of balance so as not to leave users in the dark about potential security risks in their systems.
Recently, it became clear that major technology companies Juniper and Ivanti are experiencing serious violations in the process of registering vulnerabilities with the relevant authorities. According to the researchers, these companies do not follow the established rules when handling information about security issues.
Late last year, security researcher Alise Hammond of watchTowr told Juniper representatives about a number of problems in their software. The company conducted its own investigation and asked the expert to delay the publication of information until the shortcomings were corrected.
Later, Hammond said that in the latest Juniper patch package, as many as four vulnerabilities that the researcher described in detail did not receive unique CVE numbers, including a vulnerability related to the lack of authentication.
Ivanti, which deliberately combines several vulnerabilities into a single CVE identifier, is also accused of approximately the same thing. So, one of the researchers reported that the company registered at least five different vulnerabilities under the same identifier.
It is quite possible that in this way both companies tried to artificially underestimate the number of identified vulnerabilities and reduce the number of negative mentions in the media. However, now it seems that the ruse has been revealed. This is unlikely to have a positive impact on their reputation.
Common vulnerability management practices include registering each individual security flaw under its own unique CVE number to make it as easy as possible to identify and manage patches, as well as avoid confusion.
In its defense, Ivanti said that it does this to simplify communication with customers, and Juniper — in the name of security, to give customers time to update to the latest versions of software.
In general, both companies usually release all fixes on time, and there are no obvious violations of the rules. However, the above practice of registering a CVE has been condemned by many security experts.
Adam Pilton of CyberSmart emphasized that while there is no time limit on assigning CVE numbers, it is recommended that you register them as soon as possible and under unique identifiers to ensure that vulnerabilities are resolved in a timely manner and avoid confusion.
He also noted that a delay in reporting vulnerabilities may indeed be necessary to ensure responsible disclosure of information and protect users, but even here you need to feel a fine line of balance so as not to leave users in the dark about potential security risks in their systems.
