[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

Hmm, interesting.

Suppose we consider a "rule of thumb:"

Any software that functions according to its specification, and whose 
correct functioning is within the bounds of a common security policy 
(but not necessarily *every* policy) will NOT be considered a 
vulnerability for inclusion in the CVE."

Thus, the finger program would not be a vulnerability so long as all 
of its functions are correct and known.   We might allow its use in 
an academic environment, so it is not a vulnerability.

By that token, I would contend that guessable passwords are not a 
vulnerability, either.

Of course, this introduces the question of where do we get complete 
specifications and common policies.... :-)


Page Last Updated or Reviewed: May 22, 2007