Re: Wireless VE

To: Andy Balinsky <balinsky@cisco.com>, <cve-editorial-board-list@LISTS.MITRE.ORG>
Subject: Re: Wireless VE
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Thu, 08 Dec 2005 15:56:45 -0500
Delivery-Date: Thu Dec 8 16:03:51 2005
In-Reply-To: <43987391.5000307@cisco.com>
Sender: owner-cve-editorial-board-list@LISTS.MITRE.ORG
User-Agent: Microsoft-Entourage/11.0.0.040405

I was unable to find out more information using Google, e.g., what is their
motivation, funding, etc...  I would like to know if they have vulnerability
information that the CVE doesn't have.  I'd like to know how and if they
relate vulnerabilities to exploits, and if they have anything as flexible as
what I implemented in the coop vdb:
 https://cirdb.cerias.purdue.edu/coopvdb/public/

So, they could be doing valuable work, but I can't tell.  If it is good work
and they have staying power then the CVE will have to adjust.  I bet that
Steve and the security vendors don't relish the prospect of another mapping
job.  However, in theory if both they and the CVE do their job properly, the
vulnerability mapping should be one on one unless there are cardinality
issues and then it would be one to many.  The thing to avoid is an
irreversible mapping, where if you go from WVE->CVE->WVE you get a different
entry (which would be possible if there is a many-to-many relationship).
This situation would likely indicate that some vulnerabilities were
incorrectly grouped together by either effort.  Maybe WVE and CVE could talk
to try to avoid this situation, and establish contacts and procedures in
case it happens.  If it happens, either the CVE or WVE would need repairs.
Other comments and suggestions come to mind but they would be premature at
this point.

In any case, I miss very much the discussions we used to have.  I derived a
great benefit from them;  for example when format string vulnerabilities
first started being identified, the board's discussions helped me understand
them.

Pascal

On 12/8/05 12:55 PM, "Andy Balinsky" <balinsky@cisco.com> wrote:

> There is a new CVE clone effort out there for Wireless vulnerabilities
> (WVE). This brings up several issues:
> - What is the status of CVE, given that the editorial board hasn't had
> any activity for many many months?
> - Does this WVE effort detract from CVE and add confusion to the world
> by coming up with a second set of standard names for things that CVE
> covers, too? Or is it good to get more information categorized out there
> in the world?
> 
> Although their entry format is very similar to CVE (as well as their
> structure, including an Editorial Board), they include 2 categories of
> entries: Vulnerabilities and Exploits. They use the same namespace
> (WVE-2005-????) for both vulns & exploits.
> 
> Any ideas or comments?
> 
> Andy
>

Follow-Ups:
- Re: Wireless VE
  - From: Alfred Huger <ah@securityfocus.com>

References:
- Wireless VE
  - From: Andy Balinsky <balinsky@cisco.com>

Prev by Date: Wireless VE
Next by Date: Re: Wireless VE
Prev by thread: Wireless VE
Next by thread: Re: Wireless VE
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: Wireless VE