Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)

To: Pascal Meunier <pmeunier@purdue.edu>
Subject: Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
From: spaf@cs.purdue.edu (Gene Spafford)
Date: Tue, 17 Aug 1999 21:18:47 -0500
cc: cve-editorial-board-list@lists.mitre.org
Delivery-Date: Tue Aug 17 22:21:31 1999
In-reply-to: Message from Pascal Meunier <pmeunier@PURDUE.EDU> of "Tue, 17 Aug 1999 20:45:24 -0500" <v04003a11b3dfba252191@[128.10.200.15]>
Sender: owner-cve-editorial-board-list@lists.mitre.org

I don't quite take the extreme position Pascal does, but I agree with
his general sentiment -- you badly mischaracterize academia, and the
attitude expressed is one that would keep me from wanting to
participate in any future CVE activities.

> >Content Decision: SYSCON (System Administrator Consideration)
> >-------------------------------------------------------------
> >
> >VOTE:
>
> REJECT
>
> I am always one to agree with practicality, but this is pushing it too far,
> and it is very narrow-minded. By strict definition academia has for goal
> the pursuit of pure knowledge, so the statement below about academic
> research is false -- academic pursuits that have those good results get
> funding, and rightly so, but that's not the primary goal of academia.  This
> content decision is much too lopsided towards industry and is dangerous as
> well for the CVE, since it can be used to justify almost anything.  Just
> the fact that someone feels the need to make this into a CD proposal bodes
> ill.
>
> If this CD passes, I will consider resigning from the board, as I fear it
> will tie my hands (make my opinions and goals irrelevant) and significantly
> lower the relevance of the CVE to what we do.  Indeed, why have academics
> on the Board if they are a second-class concern?  Moreover, if academics
> are not considered as beneficiaries of the CVE, why do we bother?
>
> Pascal
>
> >
> >(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> >
> >
> >
> >Short Description
> >-----------------
> >
> >All content decisions and individual CVE vulnerabilities must be
> >considered in light of system administrators and security analysts,
> >who are the ultimate beneficiaries of the CVE.
> >
> >
> >Rationale
> >---------
> >
> >Security tools (such as assessment tools and IDSes), vulnerability
> >databases, and academic research all have an ultimate goal of helping
> >an enterprise to make itself more secure from attack.  Within the
> >enterprise, system administrators and security analysts are the
> >individuals who perform the bulk of the work involved in securing
> >systems - applying patches, conducting assessments, keeping current
> >with new vulnerabilities, etc.
> >
> >One of the goals of the CVE is to facilitate data sharing among
> >security tools and databases.  Therefore, its content decisions and
> >individual vulnerability entries should consider the impact and usage
> >to system administrators and security analysts, despite the
> >expectation that they might not use the CVE directly itself.

References:
- Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
  - From: Pascal Meunier <pmeunier@purdue.edu>

Prev by Date: Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
Next by Date: Re: CD PROPOSAL: DEFINITION - Interim Decision 8/23
Prev by thread: Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
Next by thread: Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)