Hi, > the vulnerabilities are no longer considered eligible for CVE tracking, > despite being real, independently discovered, responsibly disclosed, and > acknowledged by the vendor. CVE IDs *can* be assigned for SaaS or similarly "cloud only" software. For a period of time, there was a restriction that only the provider could make or request such an assignment. But the current CVE rules remove this restriction:
4.2.3 CNAs MUST NOT consider the type of technology (e.g., cloud, on-premises, artificial intelligence, machine learning) as the sole basis for determining assignment. It would have been acceptable (even preferred) to leave CVE-2025-34411 and CVE-2025-34412 published and identify them as affecting an "exclusively-hosted-service:" 5.1.11.1 (A CVE Record) MUST use the “exclusively-hosted-service” tag when all known Products listed in the CVE Record exist only as fully hosted services. If the Vulnerability affects both hosted services and on-premises Products, then this tag MUST NOT be used. Rules: https://www.cve.org/resourcessupport/allresources/cnarules Regards, - Art _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
