|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] FINAL CONTENT DECISION: Use "Same Codebase" LOA for Software Flaws
All: Now that many of the Editorial Board members have weighed in with their opinions, it is clear that the majority of the Editorial Board wants the CVE to adopt the "Same Codebase" level of abstraction for software flaws, and are willing to live with the potential inaccuracies and minor headaches of trying to determine what a "different codebase" really is. Dave Mann, Bill Hill, and I retain our perspective that Same Attack is more appropriate (primarily because of its simplicity which reflects one of our high-level goals for the CVE, and concerns with accuracy with respect to Same Codebase.) However, in the interests of moving forward and reflecting community "consensus," I have made a Final Decision to adopt the Same Codebase content decision for software flaws. (I believe that similar discussions with respect to configuration problems *may* yield different results; those issues will be discussed later). I will attempt to formalize the Same Codebase decision and pass it to the Editorial Board for review. I will then move all proposed vulnerabilities affected by this decision to the Modification phase on next Wednesday. We will see our first SPLIT operations at that time. Yesterday I was able to discuss this issue at some length with Adam Shostack and Elias Levy, who have been on opposite ends of the spectrum. Ultimately, Elias came to agree with Adam that using the Same Codebase was appropriate for the CVE. (I'll post a summary of that meeting at a later time; unfortunately Paul Proctor wasn't able to attend because the meeting started too late for him due to delays in the Black Hat Briefings, and I wasn't able to find Craig Ozancin in the morass of people.) This leaves a number of strong advocates for Same Codebase, no strong advocates for Same Attack (with the exception of MITRE), and a number of milder responses. I will post a summary of the discussions at a later day (I'm recovering from a redeye flight from Black Hat). Board members' "votes" are identified below, taking into account (a) statements they've made, and (b) secondarily, what content decisions they use in their own database. Please post corrections. Strong Support (Same Codebase) ------------------------------ Gene Spafford Adam Shostack Steve Northcutt Paul Proctor Russ Cooper Some Support (Same Codebase) ---------------------------- Elias Levy Pascal Meunier Stuart Staniford-Chen Strong Support (Same Attack) ---------------------------- Steve Christey/Bill Hill Some Support (Same Attack) -------------------------- Mike Prosser Andre Frech Matt Bishop No Opinion ---------- Andy Balinsky/Kevin Ziese Craig Ozancin/Rob Clyde Kent Landfield Bill Wall
|
||||
