That is a bit of a short-sighted response.
We cannot query your brain for information, and thinking that you can
actively avoid any issues by updating to the newest version is not only
a fantastic dream, its also a potential route to getting compromised, as
not every new version of every bit of software is safe, or solves all
known problems.
Having a query-able and well maintained list of known issues helps in
cases where you know what software you are using, and what risks you are
running by using them, regardless of the possibility of updates,
mitigations or your ability to keep track of mailing lists for every
software you use.
Yes, money is spend, and a bit much at that, but when you start
factoring in the people running the thing, and the maintenance the
lists, hardware, surrounding communication and everything else costs I'm
not sure there's a cheaper option available. Besides, its a public
service, moving this to volunteer driven solutions isn't going to
provide the time critical responses this needs, and moving it to a
company means there will be profit to be made, or competing lists that
need to be bought because of balkanization.
On 4/16/25 21:05, Marco Moock wrote:
Am 16.04.2025 um 16:57:20 Uhr schrieb Rolf Reintjes:
any comments on this?:
https://www.csoonline.com/article/3963190/cve-program-faces-swift-end-after-dhs-fails-to-renew-contract-leaving-security-flaw-tracking-in-limbo.html
I don't see a real use-case for such databases - especially if they
consume that much money. I subscribe to the security mailing lists or
newsgroups for the operating systems and software I use and install new
versions immediately - if possible automated.
