This discussion addresses a dispute regarding the eligibility of SaaS and cloud-only vulnerabilities for CVE assignment, specifically concerning the Convercent Whistleblowing Platform by EQS Group. Following reports of security misconfigurations and customer enumeration, contributors argue that current CNA rules no longer restrict CVE IDs to on-premises software, citing specific clauses that allow for "exclusively-hosted-service" tagging.
The exchange highlights a lack of transparency from the vendor, which has reportedly remained silent without issuing public advisories or user-facing communications regarding the discovered flaws. The participants emphasize that despite the technical validity of CVE-2025-34411 and CVE-2025-34412, the transition in CVE assignment policies remains a point of contention between researchers and reporting authorities.
Top comments (0)