[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Final Decision on Same Attack/Same Codebase to occur next Friday


Next Friday I plan to make a final decision on whether to use a Same
Attack or Same Codebase content decision.  The interim review meeting
at Black Hat will have highly opinionated individuals on both sides of
the issue :-) but I will try my best not to be unreasonably influenced
by the immediacy of those discussions.  At this moment, while Matt
Bishop makes a valid point that sometimes "neither" is sufficient, I
believe that in general, Same Attack or Same Codebase will cover most
of the software flaws that we encounter.

Note that to me, this issue will be resolved for software faults
*only* (with respect to the CVE anyway).  I believe that the nature of
the discussion with respect to the other primary CVE categories -
i.e. configuration problems and the usage of certain types of
services/applications - may have fundamentally different arguments
associated with them, and possibly different content decisions (as
discussed briefly in the tech paper).  I will present those issues at
a later time.

- Steve

Page Last Updated: May 22, 2007