RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30

To: "'Steven M. Christey'" <coley@linus.mitre.org>, cve-editorial-board-list@lists.mitre.org
Subject: RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30
From: "Northcutt, Stephen, CIV, BMDO/DSC" <Stephen.Northcutt@bmdo.osd.mil>
Date: Fri, 27 Aug 1999 08:44:41 -0400
Delivery-Date: Fri Aug 27 08:44:22 1999

Vote: RECAST

Suggested text follows:

A candidate entry may be included in the CVE, with an X tag for
Vulnerabilities and a Y tag for Exposures if all of the following conditions
hold:

1) It satisfies either the CVE vulnerability definition or the CVE
exposure definition

/* X and Y are nominal, don't care how tagging is accomplished but it should
be readily obvious from the candidate number.  This could be BIG win for the
intrusion detection community, if you have the intersections of
Vulnerability + Exploit + Exposure you can pretty durn well calculate
severity. The IDS is tasked to detect the exploit, or attack, having the
matching information domains from scanners and other sources could be pretty
neat! */

-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Thursday, August 26, 1999 3:05 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: Re: CD MODIFICATION: INCLUSION version 2 - Interim Decision
8/30

Steve Northcutt wrote:

>So I understand and agree - candidates that meet the CVE vulnerbility
>definition and meet all the criteria may be included in the CVE.  I don't
>understand why exposures that meet the rest of the conditions should end up
>included in the CVE.  It seems like this presents a way for these exposure
>candidates such as finger, to become members of the class Vulnerabilities,
>when in fact they should be members of a class Exposures.  Hey!  We could
>start the CEE :)  S.

Note that we have proposed changing the name of the CVE to be "Common
Vulnerabilities and Exposures."  This idea has been accepted offline
by most Board members I've spoken to.  The trick will be for us Board
members to use this new name, which effectively states that this list
of "problems" will include both classes.

Any discussions about how to discriminate between these two classes
should be postponed until sometime after the big splash at SANS.  How
we discriminate between vulnerabilities and exposures, and what form
that information might take, is future work.  The current work is to
iron out the details of the Interoperability Demo and to approve as
many draft CVE entries as is feasible (as associated content decisions
are resolved), so that the CVE has a credible introduction to the
public.

- Steve

Prev by Date: Re: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30
Next by Date: Re: CD MODIFICATION: DEFINITION version 2 - Interim Decision 8/30
Prev by thread: Re: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30
Next by thread: CD MODIFICATION: DEFINITION version 2 - Interim Decision 8/30
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30