[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)



At 1:55 PM -0800 2/19/02, David LeBlanc wrote:
>
>Ah, but we're not very careful to make sure that a problem actually
>_exists_ before assigning a CAN to it.  There's noise on both ends of the
>process. So we should complain about vendors not supplying you with test
>exploits and extremely detailed information, but not complain about
>vague, poorly written and unreproducible vuln reports that end up in the
>CVE? If we're going to start griping about vagueness, let's gripe about
>all the vagueness problems, not just some of them.

Agreed.  I think that low quality CANs made for lack of better information should carry a warning or disclaimer.  It doesn't matter if the information comes from the vendor or a discoverer, if there are grounds to suspect it to be dubious.  I am willing to let the disclaimer be put at the discretion of the CVE content team.  Anyone else agrees to that?

Cheers,
Pascal
--
Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist,
CERIAS
Purdue University

 
Page Last Updated: May 22, 2007