| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <fc0b9c87-d043-49a1-a2f9-8156481c690c@atomicmail.io> Date: Tue, 20 Jan 2026 17:13:27 +0000 From: Yuffie Kisaragi via Fulldisclosure <fulldisclosure@...lists.org> To: "security-vulnerability@....com" <security-vulnerability@....com>, "wsparks@...ncheck.com" <wsparks@...ncheck.com>, "fulldisclosure@...lists.org" <fulldisclosure@...lists.org> Subject: Re: [FD] Multiple Security Misconfigurations and Customer Enumeration Exposure in Convercent Whistleblowing Platform (EQS Group) Dear Art, Thank you for sharing your detailed evaluation and for pointing out the relevant sections of the CNA Rules. Your argument is well reasoned, particularly with respect to the current guidance on SaaS and exclusively hosted services. I have forwarded your evaluation to the CNA for further consideration. It will also be important to understand the vendor’s perspective in light of the points you raised, especially regarding the applicability of the “exclusively-hosted-service” tag and the removal of prior restrictions. We look forward to receive transparent feedback from the CNA and/or the vendor. To date, the vendor has remained silent with regard to informing their users about the reported issues. As far as we can determine, no public advisory or user-facing communication has been issued via their vulnerability reporting channel () or elsewhere. Best regards, Yuffie On Tue, Jan 20, 2026 at 7:26 PM <> wrote: > Hi, > > > the vulnerabilities are no longer considered eligible for CVE tracking, > despite being real, independently discovered, responsibly disclosed, and > acknowledged by the vendor. > CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a > period of time, there was a restriction that only the provider could make or > request such an assignment. But the current CVE rules remove this restriction: > > 4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, > artificial intelligence, machine learning) as the sole basis for determining > assignment. > > It would have been acceptable (even preferred) to leave CVE-2025-34411 and > CVE-2025-34412 published and identify them as affecting an > "exclusively-hosted-service:" > > 5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all > known Products listed in the CVE Record exist only as fully hosted services. > If the Vulnerability affects both hosted services and on-premises Products, > then this tag MUST NOT be used. > > Rules: https://www.cve.org/resourcessupport/allresources/cnarules > > Regards, > > - Art _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists