On Thu, Apr 21, 2022 at 1:18 PM Jonathan Leitschuh < [email protected]> wrote:
> I did some polling of the community and it seems like a CVE to indicate > that a project is no longer supported would be appreciated and appropriate. > > - > > https://twitter.com/jlleitschuh/status/1503422152028078082?s=21&t=K6iRHZ4asuBTyDf7JlQI4A > - > > https://www.linkedin.com/posts/jonathan-leitschuh-94553661_log4shell-security-software-activity-6911695338818969600-iRnU?utm_source=linkedin_share&utm_medium=ios_app > > This could be done under "CWE-1104: Use of Unmaintained Third Party > Components (4.6)" > At the moment the CVE rules would not allow this, so ASF or any CNA couldn't today issue a CVE for "$Vendor $Product $Version is now EOL". However it's definitely worth exploring as it solves many of the issues we have with inconsistent (across vendors and event projects) on the handing of vulnerabilities in EOL products. There's cons as well as pros though and some things to think about (should this only be issued the first time there is a CVE, otherwise you're potentially flagging something as a security concern even though there are no reported issues, what about projects that continue to provide updates for software beyond the vendors own EOL - like Linux Distros for example). But the alternatives all have pros and cons too. This is something we should bring up with the CVE program. We are looking at creating a group for interfacing with researchers such as yourself [1] and this would be a perfect thing to discuss there; and if that group doesn't happen (or doesn't happen quickly) we can raise it in one of the other working groups. Mark [1] https://cve.mitre.org/community/board/meeting_summaries/30_March_2022.pdf
