[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CVE numbering
- To: cve-review@linus.mitre.org
- Subject: RE: CVE numbering
- From: Russ <Russ.Cooper@rc.on.ca>
- Date: Tue, 4 May 1999 17:48:33 -0400
Ok, Adam's point really was just that we had "agreed" to use 10,000 as a starting number, and he actually assigned numbers to a few items based on this understanding. The number *is* irrelevant. Really, there are no advantages or disadvantages to any numbering system we use because we are, I hope, striving to keep away from the in-depth analytical data that the CERIAS VdB is attempting to put with the names/numbers the CVE enumerates. What's important is that we have a way to issue a "value", have it be unique, and get vendors to adopt is as a reference value. Beyond that, any other implications derived from the "value" are merely superficial and subject to the particular penchant of the people viewing the data (oh, its number 13, it must have been a really big problem!). We should not spend a great deal of time on the enumeration "value". I'm sure Adam would prefer not to change what he already understood to be settled, but in the end it really does not matter a hoot what we use. IMO, no attempt should be made to put the items in chronological order. >From Mitre's perspective, there's no desire to even properly attribute the discovery or first announcement of vulnerabilities. This gets into liability issues, or at least, the possibility of ticking someone off for not being attributed. If anything, quoting sources of information that were used to derive the info that makes an item worthy of a CVE entry makes the most sense. This isn't done to attribute, but to justify its "acceptance" and provide clarification. I think my last discussions with Steve et al indicated that even this may not be done...which is fine by me. We should remember to stay tightly focused on the Mitre effort, to identify and enumerate all known vulnerabilities such that all entities referring to such vulnerabilities will, ultimately, refer to the same issue. Everything beyond that is the realm of other...possibly related...efforts (CERIAS, VETRANS, etc...) ..."what's in a name, a rose by any other name would still smell as sweet"...;-] The CVE is, IMO, merely trying to name the flower, and say it has a scent. Sweet, not sweet, etc... is not in the purview of the CVE. Cheers, Russ - NTBugtraq moderator
- Prev by Date: RE: CVE numbering
- Next by Date: Current mailing list "subscribers"
- Prev by thread: RE: CVE numbering
- Next by thread: High level agenda for Birds-of-a-Feather meeting
- Index(es):
