[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)



>Content Decision: SYSCON (System Administrator Consideration)
>-------------------------------------------------------------
>
>VOTE:

REJECT

I am always one to agree with practicality, but this is pushing it too far,
and it is very narrow-minded. By strict definition academia has for goal
the pursuit of pure knowledge, so the statement below about academic
research is false -- academic pursuits that have those good results get
funding, and rightly so, but that's not the primary goal of academia.  This
content decision is much too lopsided towards industry and is dangerous as
well for the CVE, since it can be used to justify almost anything.  Just
the fact that someone feels the need to make this into a CD proposal bodes
ill.

If this CD passes, I will consider resigning from the board, as I fear it
will tie my hands (make my opinions and goals irrelevant) and significantly
lower the relevance of the CVE to what we do.  Indeed, why have academics
on the Board if they are a second-class concern?  Moreover, if academics
are not considered as beneficiaries of the CVE, why do we bother?

Pascal

>
>(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
>
>
>
>Short Description
>-----------------
>
>All content decisions and individual CVE vulnerabilities must be
>considered in light of system administrators and security analysts,
>who are the ultimate beneficiaries of the CVE.
>
>
>Rationale
>---------
>
>Security tools (such as assessment tools and IDSes), vulnerability
>databases, and academic research all have an ultimate goal of helping
>an enterprise to make itself more secure from attack.  Within the
>enterprise, system administrators and security analysts are the
>individuals who perform the bulk of the work involved in securing
>systems - applying patches, conducting assessments, keeping current
>with new vulnerabilities, etc.
>
>One of the goals of the CVE is to facilitate data sharing among
>security tools and databases.  Therefore, its content decisions and
>individual vulnerability entries should consider the impact and usage
>to system administrators and security analysts, despite the
>expectation that they might not use the CVE directly itself.

 
Page Last Updated: May 22, 2007