Following the designated process for requesting CVE IDs is crucial, as it requires providing accurate and
            detailed information about the vulnerability.  When disclosing the vulnerability,  vendors should provide a
            clear  description,  including  its  impact,  affected  versions,  potential  attack  vectors,  and  any  known
            mitigations. Assigning a Common Vulnerability Scoring System (CVSS) score helps quantify the severity
            of the vulnerability.

            Errors  in  assigning  CVE  IDs  are  inevitable,  with  a  resolution  process  involving  rejection,  merging,  or
            splitting  of  entries.  Organizations  must  adhere  strictly  to  update  rules,  rejecting  CVEs  if  research
            disproves  a  vulnerability,  fixing  typos  causing  misuse,  or  merging  multiple  IDs  for  one  vulnerability.
            Selected CVE IDs incorporate information from others, while unselected ones are updated with rejected
            descriptions.  Split CVE when assigning a single CVE ID when more than one is required,  splitting the
            entry into multiple  CVE entries.  This is done  to ensure  accurate  and granular identification  of different
            vulnerabilities.

            Vendors should also provide clear information  about any subsequent  updates if that’s applicable,  such
            as new patches, versions or mitigations, or changes to the CVSS score.

            It's  essential  to  conduct  responsible  disclosure,  minimizing  the  risk  of exploitation  and  prioritizing  the
            security  of  affected  users.  Finally,  vendors  must  ensure  compliance  with  laws  governing  vulnerability
            disclosure practice.



            Conclusion

            In my opinion, vendors should not hesitate to disclose vulnerabilities with all pertinent information. They
            owe it to their  customers  to be transparent.  This approach  will  result in more  secure  applications  and
            clearer patch management processes.



            About the Author

            Mike  Walters,  President  and co-founder  of Action1  Corporation  -  managing
            product  strategy  for  the  company.  Previously  Co-CEO  &  Co-Founder  of
            Netwrix Corporation, Michael was responsible for go-to-market strategy, sales
            and  evangelism.  At  Netwrix  Mike  and  Alex  built  a  very  successful
            cybersecurity  business,  and  then  they  both  left Netwrix  after  transition  to  a
            new CEO.  Well  known for  its visibility  and user behavior  analytics  platform,
            Netwrix became a leader with more than 10,000 customers  worldwide. Mike
            lives in Laguna Beach,  CA, and he has three kids. He is an avid surfer and
            philanthropist who cares about environmental protection.

            Mike    can    be    reached     online   at    our    company     website
            https://www.action1.com/team/






            Cyber Defense eMagazine – July 2024 Edition                                                                                                                                                                                                          50
            Copyright © 2024, Cyber Defense Magazine. All rights reserved worldwide.