|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CD PROPOSAL: CATSPEC (Interim Decision 8/24)
- To: "Steven M. Christey" <coley@linus.mitre.org>
- Subject: Re: CD PROPOSAL: CATSPEC (Interim Decision 8/24)
- From: Stuart Staniford-Chen <stuart@silicondefense.com>
- Date: Wed, 18 Aug 1999 10:56:35 -0700
- CC: cve-editorial-board-list@lists.mitre.org
- Delivery-Date: Wed Aug 18 13:54:19 1999
- Organization: Silicon Defense
- References: <199908172244.SAA01532@basie.mitre.org>
Vote: None at this time
I don't understand this one. Is there a concrete scheme for which content
decisions apply to which categories? If so, I missed it, and we might want
to include the text inline here.
"Steven M. Christey" wrote:
>
> Please vote on this pervasive content decision using the space
> provided below. This content decision is scheduled for Interim
> Decision on August 24.
>
> - Steve
>
> Content Decision: CATSPEC (Category-Specific Content Decisions)
> ---------------------------------------------------------------
>
> VOTE:
>
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
>
> Short Description
> -----------------
>
> A vulnerability's category determines what content decisions are
> applied to it.
>
> Rationale
> ---------
>
> In general, software flaws are concrete, well-understood entities that
> have been studied closely, thus it is easier to specify how to
> discriminate between software flaws. Service/application presence
> problems are also concrete, since the name of the service suffices for
> discrimination. However, configuration problems are poorly understood
> and have no well-defined language to describe them. Thus content
> decisions related to configuration problems cannot be effectively
> described.
>
> The category of the vulnerability (as recorded in CMEX) allows an
> interested observer to understand which content decisions have been
> applied to the vulnerability, which thus affect the level of
> abstraction, inclusion in the CVE, etc.
>
> In cases where a vulnerability may have multiple categories, content
> decisions are applied in the following order:
>
> 1) Pervasive
> 2) Exclusions
> 3) Software Flaw
> 4) Configuration Problem
> 5) Service/Application Presence
>
> If the existing content decisions are not sufficient for
> discriminating between vulnerabilities that the Editorial Board
> believes should be distinguished, then those content decisions need to
> be refined, or new ones added.
--
Stuart Staniford-Chen --- President --- Silicon Defense
stuart@silicondefense.com
(707) 822-4588 (707) 826-7571 (FAX)
- References:
- CD PROPOSAL: CATSPEC (Interim Decision 8/24)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- CD PROPOSAL: CATSPEC (Interim Decision 8/24)
- Prev by Date: RE: CD PROPOSAL: DIFFUNC (Interim Decision 8/24)
- Next by Date: RE: CD PROPOSAL: SYSCON (Interim Decision 8/24)
- Prev by thread: Re: CD PROPOSAL: CATSPEC (Interim Decision 8/24)
- Next by thread: RE: CD PROPOSAL: CATSPEC (Interim Decision 8/24)
- Index(es):