Apparently none of the ways I've told @msftsecresponse about this have taken hold:
CVEs ideally get assigned at public disclosure time, not at patch release time. Why was ADV200006 released without a CVE?
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV200006 …
Microsoft is a CNA and should know this.
@n0x08
-
Show this thread
-
I have also complained about this a few times... not sure of the reasoning... if you release a vulnerability in an advisory just release the CVE as well, they already have it assigned....
1 reply 0 retweets 1 like
In the past, they used MSyy-nnn IDs. And those IDs weren't made public until the patch release. A few years ago, they switched to using CVE IDs for the updates instead. Though they haven't changed their process or understanding of when that ID can go public, it seems.
6:17 PM - 23 Mar 2020
0 replies
0 retweets
2 likes
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.