In addition to my recent post around signing of executables and installers to allow installation and use in business with security and compliance requirements, is there any procedure, list or reporting database for reporting of CVE (Common Vulnerabilities and Exploits). Reporting of possible security issues to a public forum, list or official CVE database is also a requirement in secure business environments especially in the case of any Open Source software. We are trying to get adoption of the CloudCompare software within our business so I am trying to get more information around the reporting of CVEs that may be uncovered so we can move forward with this process if possible.
I have already run some SSAT (Static Application Security Tests) software over the code base I have pulled from the repository and aside from some basic possible buffer overruns turned up nothing significant so I cam keen to move forward with our vetting which (hopefully) will progress far enough to get CloudCompare approved for us which in turn could then be used against certifying and compliance for use in other sectors / companies
CVE Reporting
-
seanhannan
- Posts: 6
- Joined: Thu Nov 18, 2021 2:15 am
Re: CVE Reporting
Examples:
On published CVE database
https://www.cvedetails.com/vulnerabilit ... acity.html
https://www.cvedetails.com/vulnerabilit ... zilla.html
https://www.cvedetails.com/vulnerabilit ... layer.html
Disclaimer: I have not looked into what is involved in getting something listed on a database even a place holder where no CVEs exist for example would be start. I am looking into where one would go to specify no CVEs but have so far not found much info
EDIT:
Found this such page for other software that have no (reported) CVE listings
https://launchpad.net/handbrake/+cve
Also this just around even having a reporting process (if none exists already)
https://warroom.rsmus.com/beginners-guide-cve-process/
On published CVE database
https://www.cvedetails.com/vulnerabilit ... acity.html
https://www.cvedetails.com/vulnerabilit ... zilla.html
https://www.cvedetails.com/vulnerabilit ... layer.html
Disclaimer: I have not looked into what is involved in getting something listed on a database even a place holder where no CVEs exist for example would be start. I am looking into where one would go to specify no CVEs but have so far not found much info
EDIT:
Found this such page for other software that have no (reported) CVE listings
https://launchpad.net/handbrake/+cve
Also this just around even having a reporting process (if none exists already)
https://warroom.rsmus.com/beginners-guide-cve-process/
Advice to Software Vendors
Create dedicated emails for reporting security vulnerabilities such as security@
Provide a PGP key to allow encryption of a vulnerability’s technical details
Have an automated response explaining the typical timeline for confirmation (For example, “Thank you for your submission. Your request will be validated within 10 business days”). This helps to let the researcher know they are communicating with a valid account, instead of casting doubt as to whether or not the email will actually be read at that inbox.
Communicate details clearly. Most security researchers are willing to accommodate your timetable if you clearly spell it out to them.
Re: CVE Reporting
Ah, at least we have a dedicated mail address: security@cloudcompare.org (it's listed in the github issue template).
Basically the standard process to report any issue (security or other) is via github: https://github.com/CloudCompare/CloudCo ... new/choose
Basically the standard process to report any issue (security or other) is via github: https://github.com/CloudCompare/CloudCo ... new/choose
Daniel, CloudCompare admin