Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
"Steven M. Christey" wrote:
> VOTE: (Not voting yet)
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> Short Description
> All content decisions and individual CVE vulnerabilities must be
> considered in light of system administrators and security analysts,
> who are the ultimate beneficiaries of the CVE.
It's possible that I wouldn't have to ask this question if I'd kept up on the
CVE mail better, so apologies if that's so. I don't have a clear
understanding of how this principle would be applied to actual cases, and the
rationale below doesn't get me there. Could you throw out a few candidate
numbers that would be affected by this decision, so I can think about it in a
more concrete context?
> Security tools (such as assessment tools and IDSes), vulnerability
> databases, and academic research all have an ultimate goal of helping
> an enterprise to make itself more secure from attack. Within the
> enterprise, system administrators and security analysts are the
> individuals who perform the bulk of the work involved in securing
> systems - applying patches, conducting assessments, keeping current
> with new vulnerabilities, etc.
> One of the goals of the CVE is to facilitate data sharing among
> security tools and databases. Therefore, its content decisions and
> individual vulnerability entries should consider the impact and usage
> to system administrators and security analysts, despite the
> expectation that they might not use the CVE directly itself.
Stuart Staniford-Chen --- President --- Silicon Defense
(707) 822-4588 (707) 826-7571 (FAX)