|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
> Content Decision: SYSCON (System Administrator Consideration) > ------------------------------------------------------------- VOTE: REJECT I think this appears to go away from our "inclusive" idea. I recall reading in our vision of the CVE that "the CVE is independent of perspective." This proposal is contrary to that idea. While the focus of the CVE is practical in nature, I do not believe that applying this rule will be of any help in that regard. Content should be based, regardless of perspective, on the criteria: if a vulnerability meets the inclusive definintion (universal or not); if it is validated; if it is accepted/modified by 50% of board; and at least 2 or 3 (depending how that vote goes) of the voting board members are not Mitre; then the vulnerability can be added. As long as all board members recognize that their perspective is not the only one, that the CVE is not a taxonomy or a database, and that the CVE includes ALL perspectives and does not bias content on perspective, then it can reflect the desired inclusiveness of vulnerability enumeration. > (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.) > > Short Description > ----------------- > > All content decisions and individual CVE vulnerabilities must be > considered in light of system administrators and security analysts, > who are the ultimate beneficiaries of the CVE. > > Rationale > --------- > > Security tools (such as assessment tools and IDSes), vulnerability > databases, and academic research all have an ultimate goal of helping > an enterprise to make itself more secure from attack. Within the > enterprise, system administrators and security analysts are the > individuals who perform the bulk of the work involved in securing > systems - applying patches, conducting assessments, keeping current > with new vulnerabilities, etc. > > One of the goals of the CVE is to facilitate data sharing among > security tools and databases. Therefore, its content decisions and > individual vulnerability entries should consider the impact and usage > to system administrators and security analysts, despite the > expectation that they might not use the CVE directly itself. -- ------------------------------------------------------------ David W. Baker INFOSEC Engineer bakerd@mitre.org G023 - Secure Information Technology (703) 883-3658 The MITRE Corporation (703) 883-1397 FAX 1820 Dolley Madison Blvd, Mailstop W422 McLean, VA, 22102 ------------------------------------------------------------ "Cyberspace. A consensual hallucination experienced daily by billions of legitimate operators, in every nation, by children being taught mathematical concepts... A graphic representation of data abstracted from the banks of every computer in the human system. Unthinkable complexity. Lines of light ranged in the nonspace of the mind, clusters and constellations of data. Like city lights, receding..." - William Gibson, "Neuromancer" "640K ought to be enough for anybody." - Bill Gates, 1981 -------------------------------------------------------------
|
||||
