This mailing list discussion addresses the eligibility of SaaS and cloud-only software for CVE tracking, specifically concerning security misconfigurations in the Convercent Whistleblowing Platform (EQS Group). The conversation highlights recent updates to CNA rules that remove prior restrictions on third-party assignments for exclusively hosted services, ensuring that vulnerabilities in such platforms can still be officially tracked.
Security researchers point out that vulnerabilities CVE-2025-34411 and CVE-2025-34412 should remain published with the "exclusively-hosted-service" tag rather than being disqualified. Despite the vendor’s lack of public disclosure or response, the community emphasizes that the nature of the technology (SaaS vs. on-premises) should not be the sole basis for determining CVE assignment eligibility.
Top comments (0)