Feb 15, 2022, 11:46:00 AMFeb 15
to GSD Discussion Group, ksei...@cloudsecurityalliance.org, GSD Discussion Group, Ruben Wylleman
Concering your 1st point, when does something becomes a vulnerability. Who decides this? is this more like a slow transition without a clear tipping moment?
In our case the reports came from our installers on the field and concerns hardware that primarely use a WebUI for management and configuration.
As far as i can tell, most affected devices had an update release pretty quick after contact with their support.
It also concerned more of the lower grade network equipment.
Rolling out these updates to all those scattered installations is another issue, but solvable. (also outside this scope)
There is only one vendor where we don't have an update yet. (they announced TLS1.2 was on the way, back in 2017)
For the moment these devices are partly unmanageable using chrome, edge and firefox, but indeed not vulnerable yet. it's more like a major inconvenience.
Anyway thanks for the input.
I suppose this type of issue's should only be added to GSD as an informational entry when there is no update available or planned.
So i'll wait this one out.
Typing the above, i was wondering..
When something is entered in GSD as informational, like in this example only TLS1.0 supported.
When it transitions in the far future to a vulnerability, i suppose this has te be updated in GSD from informational to a vulnerability.
How would GSD track these kinds of changes? Certainly since there will be some years in between.