[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FINAL CONTENT DECISION: Use "Same Codebase" LOA for Software Flaws


Now that many of the Editorial Board members have weighed in with
their opinions, it is clear that the majority of the Editorial Board
wants the CVE to adopt the "Same Codebase" level of abstraction for
software flaws, and are willing to live with the potential
inaccuracies and minor headaches of trying to determine what a
"different codebase" really is.  Dave Mann, Bill Hill, and I retain
our perspective that Same Attack is more appropriate (primarily
because of its simplicity which reflects one of our high-level goals
for the CVE, and concerns with accuracy with respect to Same
Codebase.) However, in the interests of moving forward and reflecting
community "consensus," I have made a Final Decision to adopt the Same
Codebase content decision for software flaws.  (I believe that similar
discussions with respect to configuration problems *may* yield
different results; those issues will be discussed later).

I will attempt to formalize the Same Codebase decision and pass it to
the Editorial Board for review.  I will then move all proposed
vulnerabilities affected by this decision to the Modification phase on
next Wednesday.  We will see our first SPLIT operations at that time.

Yesterday I was able to discuss this issue at some length with Adam
Shostack and Elias Levy, who have been on opposite ends of the
spectrum.  Ultimately, Elias came to agree with Adam that using the
Same Codebase was appropriate for the CVE.  (I'll post a summary of
that meeting at a later time; unfortunately Paul Proctor wasn't able
to attend because the meeting started too late for him due to delays
in the Black Hat Briefings, and I wasn't able to find Craig Ozancin in
the morass of people.)  This leaves a number of strong advocates for
Same Codebase, no strong advocates for Same Attack (with the exception
of MITRE), and a number of milder responses.

I will post a summary of the discussions at a later day (I'm
recovering from a redeye flight from Black Hat).

Board members' "votes" are identified below, taking into account (a)
statements they've made, and (b) secondarily, what content decisions
they use in their own database.  Please post corrections.

Strong Support (Same Codebase)
Gene Spafford
Adam Shostack
Steve Northcutt
Paul Proctor
Russ Cooper

Some Support (Same Codebase)
Elias Levy
Pascal Meunier
Stuart Staniford-Chen

Strong Support (Same Attack)
Steve Christey/Bill Hill

Some Support (Same Attack)
Mike Prosser
Andre Frech
Matt Bishop

No Opinion
Andy Balinsky/Kevin Ziese
Craig Ozancin/Rob Clyde
Kent Landfield
Bill Wall

Page Last Updated or Reviewed: May 22, 2007