This discussion addresses security misconfigurations and customer enumeration vulnerabilities identified in the Convercent Whistleblowing Platform, a SaaS product by EQS Group. The VulnCheck CNA initially declined to assign CVE records (specifically CVE-2025-34411 and CVE-2025-34412), arguing that SaaS vulnerabilities mitigated at the provider level do not warrant actionable CVE records. This decision has sparked a debate regarding the interpretation of modern vulnerability disclosure standards for cloud-based services.
Researchers have countered this stance by citing updated MITRE CNA rules, which state that technology type (such as cloud or SaaS) should not be the sole basis for denying a CVE assignment. They emphasize that the "exclusively-hosted-service" tag was specifically designed for these scenarios. While the vendor has reportedly issued internal advisories within a private customer portal, the lack of public disclosure remains a point of contention for security researchers seeking transparent vulnerability tracking.
Top comments (0)