Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)

[Stuart Staniford-Chen <stuart@silicondefense.com>]

"Steven M. Christey" wrote:

> VOTE: (Not voting yet)


> 
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> 
> Short Description
> -----------------
> 
> All content decisions and individual CVE vulnerabilities must be
> considered in light of system administrators and security analysts,
> who are the ultimate beneficiaries of the CVE.
> 

Steve:  

It's possible that I wouldn't have to ask this question if I'd kept up on the
CVE mail better, so apologies if that's so.  I don't have a clear
understanding of how this principle would be applied to actual cases, and the
rationale below doesn't get me there.  Could you throw out a few candidate
numbers that would be affected by this decision, so I can think about it in a
more concrete context?

Stuart.

> Rationale
> ---------
> 
> Security tools (such as assessment tools and IDSes), vulnerability
> databases, and academic research all have an ultimate goal of helping
> an enterprise to make itself more secure from attack.  Within the
> enterprise, system administrators and security analysts are the
> individuals who perform the bulk of the work involved in securing
> systems - applying patches, conducting assessments, keeping current
> with new vulnerabilities, etc.
> 
> One of the goals of the CVE is to facilitate data sharing among
> security tools and databases.  Therefore, its content decisions and
> individual vulnerability entries should consider the impact and usage
> to system administrators and security analysts, despite the
> expectation that they might not use the CVE directly itself.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart@silicondefense.com
(707) 822-4588                     (707) 826-7571 (FAX)