[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

I agree with Scott on this one.
 If a vendor discovers the problem on their own (it does happen you know!)
after release or a customer notifies them of the issue, the vendor isn't
going to release the technical issues of the problem, just a brief
description, maybe with a risk level of the issue and a patch or updated
version to fix it.
And that is pretty much what a client is concerned with....am I vulnerable?
How do I fix it so I am not?  So I don't think we will ever get away from
the vagueness.  It is frustrating from a research and technical aspect, but
something that we have to live with.

Scott's suggestion that the VAGUE CD should specifically refer to issues
confirmed by the Vendor but not further detailed is a good idea.

-Mike Prosser
Research Technical Lead, SIRC
Symantec Security Response
Symantec Corporation


(210) 403-7833
(210) 403-7895 Fax

|         |           Tknogeek@AOL.COM                   |
|         |           Sent by:                           |
|         |           owner-cve-editorial-board-list@list|
|         |           s.mitre.org                        |
|         |                                              |
|         |                                              |
|         |           02/18/2002 09:50 PM                |
|         |                                              |
  |                                                                                                                     |
  |       To:       cve-editorial-board-list@lists.mitre.org                                                            |
  |       cc:                                                                                                           |
  |       Subject:  Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)                                  |

Pascal and Steve,
My take on this is a practical one as always. If a vendor chooses to
release something vague, they are openly admitting that they have a
problem that requires patching.  The vendor admits that an exposure or
vulnerability exists.  While I wish we lived in a world of perfect
information that is not the case.  I think CD:VAGUE will help us deal
with that imperfection provided we don't overuse it.

I think it's important to remember that one of the primary uses of CVE is
to help get systems properly secured.   In the cases where a vendor says
"You need to install this patch", I think that warrants a CVE entry...even
if it
is a little vague.

If we start assigning VAGUE to unconfirmed items, it could get a
little messy.  Maybe we need to specify in the definition that VAGUE
specifically refers to vague VENDOR confirmed reports rather than vague
in general.

I'm sure if we beat this to deal long enough we can come up with a
metric for vagueness too.  :-)


Scott Lawler, CISSP

Page Last Updated: May 22, 2007