[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CONTENT DECISION: List of all content decisions
- To: cve-editorial-board-list@lists.mitre.org
- Subject: CONTENT DECISION: List of all content decisions
- From: "Steven M. Christey" <coley@linus.mitre.org>
- Date: Wed, 11 Aug 1999 00:31:31 -0400 (EDT)
- Sender: owner-cve-editorial-board-list@lists.mitre.org
In preparation for the CVE Review meeting, I have summarized all the
content decisions that have been discussed and made some small
changes, based on feedback from the Editorial Board. Content
decisions with notable changes are marked with a *. Some of these
content decisions have been alluded to, but I had not explicitly named
them until now.
- Steve
High-Level Content Decisions for all CVE Vulnerabilities (Pervasive)
--------------------------------------------------------------------
Below is a summary of the high-level content decisions that apply to
all CVE vulnerabilities.
1) Inclusion By Definition Satisfaction (INCLUSION)
A CVE Vulnerability must satisfy the CVE vulnerability definition.
2) Exclusion by Definition Exception (EXCLUSION)
Exclude vulnerabilities that satisfy exceptions to the CVE
vulnerability definition, as identified below.
3) Different Functionality, Different Problem (DIFFUNC)
Distinguish between components, systems, and executables that are
functionally different.
4) Category-Specific Content Decisions (CATSPEC)
A vulnerability's category determines what content decisions
are applied to it.
5) System Administrator Consideration (SYSCON)
All content decisions and individual CVE vulnerabilities must be
considered in light of system administrators and security
analysts, who are the ultimate beneficiaries of the CVE.
*6) High Cardinality, Innumerable Vulnerabilities are Not
Distinguished (HIGHCARD)
In cases where the number of vulnerabilities is so high that it
will cause a significant increase in the number of entries in the
CVE (High Cardinality), *and* those vulnerabilities cannot be
enumerated (Innumerable), then those vulnerabilities are
combined into a single higher-level vulnerability.
*7) Dot Notation (DOT)
For vulnerabilities that are not distinguished due to the HIGHCARD
content decision, Dot Notation may be used to identify specific
instances of that vulnerability.
Content Decisions for Exclusion by Definition Exception
-------------------------------------------------------
These high-level content decisions identify exceptions to the CVE
vulnerability definition.
1) Duplication (EX-DUPE)
Exclude vulnerabilities that are duplicates of an existing CVE
vulnerability.
2) Subsumption (EX-SUBSUME)
Exclude vulnerabilities that subsume (or are subsumed by) an
existing CVE vulnerability (except GENERICs).
*3) Insufficient Validation (EX-VALIDATE)
Exclude vulnerabilities that are not sufficiently proven to exist,
either from the affected vendor, or from at least two independent
trusted sources.
4) Beta Code (EX-BETA)
Exclude vulnerabilities in beta or alpha version software, unless
that version is the only version that is expected to be available.
5) Brute Force (EX-BRUTE)
Exclude vulnerabilities that are only exploitable via a brute force
attack that cannot be easily accomplished with commonly available
computing power.
6) Client-Side DoS (EX-CLIENT)
Exclude vulnerabilities that occur in easily-recoverable denials of
service that only impact a specific client application.
Content Decisions for Software Flaws (SF)
-----------------------------------------
1) Different Line of Code, Different Vulnerability (SF-LOC)
Distinguish between vulnerabilities that appear in the same
program, but require different modifications to the source code to
fix.
2) Same Codebase, Same Vulnerability (SF-CODEBASE)
If two vulnerabilities have been derived from the same codebase,
then do not distinguish them, even if they appear on different
platforms or software versions.
3) Same Library, Same Vulnerability (SF-LIBRARY)
This is a specialization of SF-CODEBASE and SF-LOC. If a system
library or DLL contains a software flaw, do not distinguish the
different executables that are affected by that library.
4) Different Executables, Different Vulnerability (SF-EXEC)
This is a specialization of DIFFUNC. If a vulnerability appears in
multiple executables, and it does not occur in a library that is
shared by those executables, then distinguish them. Executables
are not distinguished by OS, except as dictated by SF-CODEBASE.
5) Different Time of Discovery, Different Vulnerability (SF-DISCOVERY)
If a vulnerability is discovered at a different time than other
vulnerabilities, then distinguish it.
Content Decisions for Configuration Errors (CF)
-----------------------------------------------
1) Two Different Network Devices (CF-DEVICE)
This is a specialization of DIFFUNC. Distinguish between "hosts"
and network management devices (e.g. filters, routers, etc.) that
manage traffic between hosts. But do not distinguish between
different types of network management devices.
*2) Two Different Types of Users (CF-USERS)
This is a specialization of DIFFUNC. Only distinguish between
"Anyone" and "Restricted Group."
*3) Three Different Types of Data (CF-DATA)
This is a specialization of DIFFUNC. Distinguish between
"System-Critical," "Application-Critical," and "non-critical" data.
System-critical data could allow damage to an entire system;
application-critical data allows damage that is restricted to the
application's scope.
*4) Two Configuration Error Sources (CF-SOURCE)
Configuration errors could come from "Default" configurations, or
from "Operator" configurations.
5) Leveraged vs. Assigned Access (CF-ACCESS)
Distinguish between vulnerabilities that allow a user to gain
additional access (Leveraged) versus those for which a user is
merely assigned access which does not lead to any additional access
(Assigned)
6) Different Risk, Same Vulnerability (CF-RISK)
Do not distinguish between the risk or potential damage of a
vulnerability.
7) Same Checkbox, Same Vulnerability (CF-CHECKBOX)
This is a specialization of DIFFUNC. Do not distinguish between
vulnerabilities that can be fixed by the same option on a
configuration screen ("Checkbox"), or by the same command line.
8) Different Data Operation, Same Vulnerability (CF-OPERATION)
Do not distinguish between read, write, execute, etc. operations.
9) Different Data Format, Same Vulnerability (CF-FORMAT)
Do not distinguish between folders, directories, files, file
systems, etc.
*10) Restricted Group Access and Non-Critical Data are not applicable
to CVE vulnerabilities (CF-EXCLUDE)
This is a specialization of EXCLUSION.
Content Decisions for Service/Application Presence (SA)
-------------------------------------------------------
*1) SA category vulnerabilities are High Cardinality, but Enumerable
(SA-HIGHCARD)
2) Distinguish Services with a History of Problems (SA-HISTORY)
3) Distinguish Services useful for Information Gathering (SA-INFO)
4) Distinguish Common Attack Points (SA-ATTACK)
5) Do not Distinguish Other Services (SA-EXCLUDE)
This is a specialization of EXCLUSION.
Content Decisions for Descriptions
----------------------------------
1) Uniqueness (DESC-UNIQ)
The description must be able to uniquely distinguish a CVE
vulnerability from other CVE vulnerabilities.
2) Lookup Support (DESC-LOOKUP)
The description may contain more than the minimal amount of
information if it will allow someone to more effectively look up
the name for that vulnerability.
- Prev by Date: CVE Review Meeting Agenda - Teleconference for non-attendees
- Next by Date: CVE Review Meeting (Thursday) - Summary
- Prev by thread: CVE Review Meeting Agenda - Teleconference for non-attendees
- Next by thread: CVE Review Meeting (Thursday) - Summary
- Index(es):
