[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
I don't quite take the extreme position Pascal does, but I agree with his general sentiment -- you badly mischaracterize academia, and the attitude expressed is one that would keep me from wanting to participate in any future CVE activities. > >Content Decision: SYSCON (System Administrator Consideration) > >------------------------------------------------------------- > > > >VOTE: > > REJECT > > I am always one to agree with practicality, but this is pushing it too far, > and it is very narrow-minded. By strict definition academia has for goal > the pursuit of pure knowledge, so the statement below about academic > research is false -- academic pursuits that have those good results get > funding, and rightly so, but that's not the primary goal of academia. This > content decision is much too lopsided towards industry and is dangerous as > well for the CVE, since it can be used to justify almost anything. Just > the fact that someone feels the need to make this into a CD proposal bodes > ill. > > If this CD passes, I will consider resigning from the board, as I fear it > will tie my hands (make my opinions and goals irrelevant) and significantly > lower the relevance of the CVE to what we do. Indeed, why have academics > on the Board if they are a second-class concern? Moreover, if academics > are not considered as beneficiaries of the CVE, why do we bother? > > Pascal > > > > >(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.) > > > > > > > >Short Description > >----------------- > > > >All content decisions and individual CVE vulnerabilities must be > >considered in light of system administrators and security analysts, > >who are the ultimate beneficiaries of the CVE. > > > > > >Rationale > >--------- > > > >Security tools (such as assessment tools and IDSes), vulnerability > >databases, and academic research all have an ultimate goal of helping > >an enterprise to make itself more secure from attack. Within the > >enterprise, system administrators and security analysts are the > >individuals who perform the bulk of the work involved in securing > >systems - applying patches, conducting assessments, keeping current > >with new vulnerabilities, etc. > > > >One of the goals of the CVE is to facilitate data sharing among > >security tools and databases. Therefore, its content decisions and > >individual vulnerability entries should consider the impact and usage > >to system administrators and security analysts, despite the > >expectation that they might not use the CVE directly itself.