Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

To: "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
From: Gene Spafford <spaf@cs.purdue.edu>
Date: Tue, 20 Jul 1999 22:44:36 -0500
Cc: cve-editorial-board-list@lists.mitre.org
In-Reply-To: <199907210332.XAA10246@basie.mitre.org>
References: <199907210332.XAA10246@basie.mitre.org>
Reply-To: spaf@cs.purdue.edu

Hmm, interesting.

Suppose we consider a "rule of thumb:"

Any software that functions according to its specification, and whose 
correct functioning is within the bounds of a common security policy 
(but not necessarily *every* policy) will NOT be considered a 
vulnerability for inclusion in the CVE."

Thus, the finger program would not be a vulnerability so long as all 
of its functions are correct and known.   We might allow its use in 
an academic environment, so it is not a vulnerability.

By that token, I would contend that guessable passwords are not a 
vulnerability, either.

Of course, this introduces the question of where do we get complete 
specifications and common policies.... :-)

--spaf

References:
- PROPOSAL: Cluster 20 - DESIGN (27 candidates)
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: CONTENT DECISION: Discussion related to DESIGN and NTCONFIG clusters
Next by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Prev by thread: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)