this post was submitted on 13 Nov 2024
1 points (100.0% liked)

cybersecurity

10 readers
1 users here now

This subreddit is for technical professionals to discuss cybersecurity news, research, threats, etc.

founded 1 year ago
MODERATORS
 
The original post: /r/cybersecurity by /u/blackwidow_under on 2024-11-12 20:57:01.

I work for a company and came across a vendor product that stores highly sensitive data and provides access to multiple companies. I discovered a security vulnerability in the vendor’s product, discussed it with them, and they acknowledged the issue. However, they mentioned that a complete fix would require changes from their customers as well, making it a complex solution.

My vulnerability disclosure included a 30-day confidentiality period, so the vendor agreed to notify affected customers and publish the issue in their security bulletin. However, they refused to file a CVE, as they don’t want global awareness of the issue. Since my company is not their customer and also not their CNA, I’m unsure how to proceed with publishing a CVE. Raising a CVE would help spread awareness among users and potential customers, especially given the sensitive data the vendor handles. How can I find a way to publish a CVE in this situation? Any advice would be greatly appreciated.

no comments (yet)
sorted by: hot top controversial new old
there doesn't seem to be anything here