Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
At 1:55 PM -0800 2/19/02, David LeBlanc wrote:
>Ah, but we're not very careful to make sure that a problem actually
>_exists_ before assigning a CAN to it. There's noise on both ends of the
>process. So we should complain about vendors not supplying you with test
>exploits and extremely detailed information, but not complain about
>vague, poorly written and unreproducible vuln reports that end up in the
>CVE? If we're going to start griping about vagueness, let's gripe about
>all the vagueness problems, not just some of them.
Agreed. I think that low quality CANs made for lack of better information should carry a warning or disclaimer. It doesn't matter if the information comes from the vendor or a discoverer, if there are grounds to suspect it to be dubious. I am willing to let the disclaimer be put at the discretion of the CVE content team. Anyone else agrees to that?
Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist,