[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- To: cve-editorial-board-list@lists.mitre.org
- Subject: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Wed, 21 Jul 1999 20:06:32 -0400 (EDT)
- Sender: owner-cve-editorial-board-list@lists.mitre.org
Gene Spafford said: >Okay, then if you want to list anything that *might* be considered a >vulnerability, I want to see an entry for each version of Windows. >Running it is a vulnerability that can lead to compromise. > >Then, one entry for each version of Unix, and one for each version of Linux. > >Then, one for each WWW browser capable of running applets or doing >downloads, and one for every MIME-capable mailer. > >If you are going to be kitchen sink repository, let's go right to the >source of the plumbing problems, so to speak. I will assume that the point here is that the CVE definition of "vulnerability" can become so diluted that anything and everything could be placed into it. And certainly that is a risk, especially as we begin to consider these more ambiguous cases where there isn't necessarily agreement across all segments of the security community. With respect to the particular examples that you cite, I wouldn't expect them to be accepted into the CVE, as they probably are not a violation of any reasonable security policy that is used by a significant segment of the population. Aside from operating system purists who (more or less) joke that the simple presence of a rival OS represents a security risk, I doubt that most individuals concerned with security would think this way. Also, these particular examples are probably at too high of a level of abstraction. However, if we don't make sure that the content decisions for design flaws are sufficiently narrow, then it could be argued that such entries would need to be made. There may be some cases where we can't all agree what constitutes a "vulnerability." But if we can all agree when something *doesn't* constitute a vulnerability, then we can keep the scope of the CVE from getting so broad that portions of it aren't useful to anyone. It would be very useful to get additional input from other Editorial Board members regarding these kinds of content decisions. While these particular content decisions were used for the draft CVE, the Editorial Board discussions will have a direct impact on the final content decisions that are used for the publicly released CVE. - Steve
- Follow-Ups:
- Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- From: Bill Hill <bill@mitre.org>
- Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Prev by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Next by Date: RE: PROPOSAL: Cluster 19 - NTCONFIG (13 candidates)
- Prev by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Index(es):
