[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CONTENT DECISION: List of all content decisions

In preparation for the CVE Review meeting, I have summarized all the
content decisions that have been discussed and made some small
changes, based on feedback from the Editorial Board.  Content
decisions with notable changes are marked with a *.  Some of these
content decisions have been alluded to, but I had not explicitly named
them until now.

- Steve

High-Level Content Decisions for all CVE Vulnerabilities (Pervasive)

Below is a summary of the high-level content decisions that apply to
all CVE vulnerabilities.

1) Inclusion By Definition Satisfaction (INCLUSION)

   A CVE Vulnerability must satisfy the CVE vulnerability definition.

2) Exclusion by Definition Exception (EXCLUSION)

   Exclude vulnerabilities that satisfy exceptions to the CVE
   vulnerability definition, as identified below.

3) Different Functionality, Different Problem (DIFFUNC)

   Distinguish between components, systems, and executables that are
   functionally different.

4) Category-Specific Content Decisions (CATSPEC)

   A vulnerability's category determines what content decisions
   are applied to it.

5) System Administrator Consideration (SYSCON)

   All content decisions and individual CVE vulnerabilities must be
   considered in light of system administrators and security
   analysts, who are the ultimate beneficiaries of the CVE.

*6) High Cardinality, Innumerable Vulnerabilities are Not
   Distinguished (HIGHCARD)

   In cases where the number of vulnerabilities is so high that it
   will cause a significant increase in the number of entries in the
   CVE (High Cardinality), *and* those vulnerabilities cannot be
   enumerated (Innumerable), then those vulnerabilities are
   combined into a single higher-level vulnerability.

*7) Dot Notation (DOT)

   For vulnerabilities that are not distinguished due to the HIGHCARD
   content decision, Dot Notation may be used to identify specific
   instances of that vulnerability.

Content Decisions for Exclusion by Definition Exception

These high-level content decisions identify exceptions to the CVE
vulnerability definition.

1) Duplication (EX-DUPE)

   Exclude vulnerabilities that are duplicates of an existing CVE

2) Subsumption (EX-SUBSUME)

   Exclude vulnerabilities that subsume (or are subsumed by) an
   existing CVE vulnerability (except GENERICs).

*3) Insufficient Validation (EX-VALIDATE)

   Exclude vulnerabilities that are not sufficiently proven to exist,
   either from the affected vendor, or from at least two independent
   trusted sources.

4) Beta Code (EX-BETA)

   Exclude vulnerabilities in beta or alpha version software, unless
   that version is the only version that is expected to be available.

5) Brute Force (EX-BRUTE)

   Exclude vulnerabilities that are only exploitable via a brute force
   attack that cannot be easily accomplished with commonly available
   computing power.

6) Client-Side DoS (EX-CLIENT)

   Exclude vulnerabilities that occur in easily-recoverable denials of
   service that only impact a specific client application.

Content Decisions for Software Flaws (SF)

1) Different Line of Code, Different Vulnerability (SF-LOC)

   Distinguish between vulnerabilities that appear in the same
   program, but require different modifications to the source code to

2) Same Codebase, Same Vulnerability (SF-CODEBASE)

   If two vulnerabilities have been derived from the same codebase,
   then do not distinguish them, even if they appear on different
   platforms or software versions.

3) Same Library, Same Vulnerability (SF-LIBRARY)

   This is a specialization of SF-CODEBASE and SF-LOC.  If a system
   library or DLL contains a software flaw, do not distinguish the
   different executables that are affected by that library.

4) Different Executables, Different Vulnerability (SF-EXEC)

   This is a specialization of DIFFUNC.  If a vulnerability appears in
   multiple executables, and it does not occur in a library that is
   shared by those executables, then distinguish them.  Executables
   are not distinguished by OS, except as dictated by SF-CODEBASE.

5) Different Time of Discovery, Different Vulnerability (SF-DISCOVERY)

   If a vulnerability is discovered at a different time than other
   vulnerabilities, then distinguish it.

Content Decisions for Configuration Errors (CF)

1) Two Different Network Devices (CF-DEVICE)

   This is a specialization of DIFFUNC.  Distinguish between "hosts"
   and network management devices (e.g. filters, routers, etc.) that
   manage traffic between hosts.  But do not distinguish between
   different types of network management devices.

*2) Two Different Types of Users (CF-USERS)

   This is a specialization of DIFFUNC.  Only distinguish between
   "Anyone" and "Restricted Group."

*3) Three Different Types of Data (CF-DATA)

   This is a specialization of DIFFUNC.  Distinguish between
   "System-Critical," "Application-Critical," and "non-critical" data.
   System-critical data could allow damage to an entire system;
   application-critical data allows damage that is restricted to the
   application's scope.

*4) Two Configuration Error Sources (CF-SOURCE)

   Configuration errors could come from "Default" configurations, or
   from "Operator" configurations.

5) Leveraged vs. Assigned Access (CF-ACCESS)

   Distinguish between vulnerabilities that allow a user to gain
   additional access (Leveraged) versus those for which a user is
   merely assigned access which does not lead to any additional access

6) Different Risk, Same Vulnerability (CF-RISK)

   Do not distinguish between the risk or potential damage of a

7) Same Checkbox, Same Vulnerability (CF-CHECKBOX)

   This is a specialization of DIFFUNC.  Do not distinguish between
   vulnerabilities that can be fixed by the same option on a
   configuration screen ("Checkbox"), or by the same command line.

8) Different Data Operation, Same Vulnerability (CF-OPERATION)

   Do not distinguish between read, write, execute, etc. operations.

9) Different Data Format, Same Vulnerability (CF-FORMAT)

   Do not distinguish between folders, directories, files, file
   systems, etc.

*10) Restricted Group Access and Non-Critical Data are not applicable
   to CVE vulnerabilities (CF-EXCLUDE)

   This is a specialization of EXCLUSION.

Content Decisions for Service/Application Presence (SA)

*1) SA category vulnerabilities are High Cardinality, but Enumerable

2) Distinguish Services with a History of Problems (SA-HISTORY)

3) Distinguish Services useful for Information Gathering (SA-INFO)

4) Distinguish Common Attack Points (SA-ATTACK)

5) Do not Distinguish Other Services (SA-EXCLUDE)

   This is a specialization of EXCLUSION.

Content Decisions for Descriptions

1) Uniqueness (DESC-UNIQ)

   The description must be able to uniquely distinguish a CVE
   vulnerability from other CVE vulnerabilities.

2) Lookup Support (DESC-LOOKUP)

   The description may contain more than the minimal amount of
   information if it will allow someone to more effectively look up
   the name for that vulnerability.

Page Last Updated: May 22, 2007