Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Suppose we consider a "rule of thumb:"
Any software that functions according to its specification, and whose
correct functioning is within the bounds of a common security policy
(but not necessarily *every* policy) will NOT be considered a
vulnerability for inclusion in the CVE."
Thus, the finger program would not be a vulnerability so long as all
of its functions are correct and known. We might allow its use in
an academic environment, so it is not a vulnerability.
By that token, I would contend that guessable passwords are not a
Of course, this introduces the question of where do we get complete
specifications and common policies.... :-)