[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30



Vote: RECAST

Suggested text follows:

A candidate entry may be included in the CVE, with an X tag for
Vulnerabilities and a Y tag for Exposures if all of the following conditions
hold:

1) It satisfies either the CVE vulnerability definition or the CVE
exposure definition

/* X and Y are nominal, don't care how tagging is accomplished but it should
be readily obvious from the candidate number.  This could be BIG win for the
intrusion detection community, if you have the intersections of
Vulnerability + Exploit + Exposure you can pretty durn well calculate
severity. The IDS is tasked to detect the exploit, or attack, having the
matching information domains from scanners and other sources could be pretty
neat! */

-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Thursday, August 26, 1999 3:05 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: Re: CD MODIFICATION: INCLUSION version 2 - Interim Decision
8/30


Steve Northcutt wrote:

>So I understand and agree - candidates that meet the CVE vulnerbility
>definition and meet all the criteria may be included in the CVE.  I don't
>understand why exposures that meet the rest of the conditions should end up
>included in the CVE.  It seems like this presents a way for these exposure
>candidates such as finger, to become members of the class Vulnerabilities,
>when in fact they should be members of a class Exposures.  Hey!  We could
>start the CEE :)  S.

Note that we have proposed changing the name of the CVE to be "Common
Vulnerabilities and Exposures."  This idea has been accepted offline
by most Board members I've spoken to.  The trick will be for us Board
members to use this new name, which effectively states that this list
of "problems" will include both classes.

Any discussions about how to discriminate between these two classes
should be postponed until sometime after the big splash at SANS.  How
we discriminate between vulnerabilities and exposures, and what form
that information might take, is future work.  The current work is to
iron out the details of the Interoperability Demo and to approve as
many draft CVE entries as is feasible (as associated content decisions
are resolved), so that the CVE has a credible introduction to the
public.

- Steve

Page Last Updated or Reviewed: May 22, 2007