[openssl-users] Vulnerability Disclosures

Jeffrey Walton noloader at gmail.com
Sun Jul 12 00:53:20 UTC 2015


> I wanted to suggest that when notifying of new vulnerabilities, in addition to the severity level, information is also provided about how widespread the issue is expected to be.
>
> For example, the statement might say "this high severity bug is expected to affect around 70% of cases”, or for CVE-2015-1788 it would presumably state “around 1%” as it affects only client-side uses.
>
> This would help OpenSSL users gauge whether the upcoming vulnerability is “heartbleed”-level, or less serious/widespread. Currently a wide variety of vulnerabilities are just indicated as “high” severity, which could mean anything from a relatively minor DoS affecting 5 implementations to MITM affecting all servers/browsers.
>

Wide-spread-ness is an interesting factoid, but I kind of feel like
its not really relevant. OpenSSL is kind of ubiquitous, so adverse
events are kind of widespread by definition.

I've worked in Risk as a Security Architect. An organization has a
risk posture, and they will choose to remediate a vulnerability that
applies to them; or they will choose to do nothing and accept the
risk. An organization will also assess their partners, and ensure
compatible security postures as a matter of governance. If their
partner is deficient, then they will have to address that risk too or
do nothing and accept the risk.

The monoculture based on OpenSSL's success is a hindrance, too. Its
kind of like a genome that's lost its genetic diversification. A
interesting talk about it is Dan Geer's "Heartbleed as Metaphor",
http://www.lawfareblog.com/heartbleed-metaphor.

Jeff


More information about the openssl-users mailing list