[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Wireless VE
- To: Andy Balinsky <balinsky@cisco.com>, <cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: Wireless VE
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Thu, 08 Dec 2005 15:56:45 -0500
- Delivery-Date: Thu Dec 8 16:03:51 2005
- In-Reply-To: <43987391.5000307@cisco.com>
- Sender: owner-cve-editorial-board-list@LISTS.MITRE.ORG
- User-Agent: Microsoft-Entourage/11.0.0.040405
I was unable to find out more information using Google, e.g., what is their motivation, funding, etc... I would like to know if they have vulnerability information that the CVE doesn't have. I'd like to know how and if they relate vulnerabilities to exploits, and if they have anything as flexible as what I implemented in the coop vdb: https://cirdb.cerias.purdue.edu/coopvdb/public/ So, they could be doing valuable work, but I can't tell. If it is good work and they have staying power then the CVE will have to adjust. I bet that Steve and the security vendors don't relish the prospect of another mapping job. However, in theory if both they and the CVE do their job properly, the vulnerability mapping should be one on one unless there are cardinality issues and then it would be one to many. The thing to avoid is an irreversible mapping, where if you go from WVE->CVE->WVE you get a different entry (which would be possible if there is a many-to-many relationship). This situation would likely indicate that some vulnerabilities were incorrectly grouped together by either effort. Maybe WVE and CVE could talk to try to avoid this situation, and establish contacts and procedures in case it happens. If it happens, either the CVE or WVE would need repairs. Other comments and suggestions come to mind but they would be premature at this point. In any case, I miss very much the discussions we used to have. I derived a great benefit from them; for example when format string vulnerabilities first started being identified, the board's discussions helped me understand them. Pascal On 12/8/05 12:55 PM, "Andy Balinsky" <balinsky@cisco.com> wrote: > There is a new CVE clone effort out there for Wireless vulnerabilities > (WVE). This brings up several issues: > - What is the status of CVE, given that the editorial board hasn't had > any activity for many many months? > - Does this WVE effort detract from CVE and add confusion to the world > by coming up with a second set of standard names for things that CVE > covers, too? Or is it good to get more information categorized out there > in the world? > > Although their entry format is very similar to CVE (as well as their > structure, including an Editorial Board), they include 2 categories of > entries: Vulnerabilities and Exploits. They use the same namespace > (WVE-2005-????) for both vulns & exploits. > > Any ideas or comments? > > Andy >
- Follow-Ups:
- Re: Wireless VE
- From: Alfred Huger <ah@securityfocus.com>
- Re: Wireless VE
- References:
- Wireless VE
- From: Andy Balinsky <balinsky@cisco.com>
- Wireless VE
- Prev by Date: Wireless VE
- Next by Date: Re: Wireless VE
- Prev by thread: Wireless VE
- Next by thread: Re: Wireless VE
- Index(es):
