[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: The CVE-10K Problem


  • To: "Mark J Cox" <mjc@redhat.com>, "Steven M. Christey" <coley@mitre.org>
  • Subject: RE: The CVE-10K Problem
  • From: "Kevin Ziese (ziese)" <ziese@cisco.com>
  • Date: Mon, 15 Jan 2007 07:50:34 -0800
  • Authentication-Results: sj-dkim-1; header.From=ziese@cisco.com; dkim=pass (sig from cisco.com/sjdkim1004 verified; );
  • Cc: <cve-editorial-board-list@LISTS.MITRE.ORG>
  • Delivery-Date: Mon Jan 15 10:50:52 2007
  • DKIM-Signature: v=0.5; a=rsa-sha256; q=dns/txt; l=2166; t=1168876239; x=1169740239;c=relaxed/simple; s=sjdkim1004;h=Content-Type:From:Subject:Content-Transfer-Encoding:MIME-Version;d=cisco.com; i=ziese@cisco.com;z=From:=20=22Kevin=20Ziese=20\(ziese\)=22=20<ziese@cisco.com>|Subject:=20RE=3A=20The=20CVE-10K=20Problem|Sender:=20|To:=20=22Mark=20J=20Cox=22=20<mjc@redhat.com>,=20=22Steven=20M.=20Christey=22=20<coley@mitre.org>|Content-Type:=20text/plain=3B=0A=09charset=3D=22us-ascii=22|Content-Transfer-Encoding:=20quoted-printable|MIME-Version:=201.0;bh=qjj0D0/Qv0kq8yT4EFrrhba+6HuMD4h6/9D+RnH0a14=;b=DWjXOWcqJP+s02zLzEt/kpHVf70yZQp0iYjGZu0GI4tOXGezzBH/NZcr5E8s0/QY3wT8bK/2fW7WWl09Ng8YhFYcisleWiXLLEt15HeMgHQ06pBUVQz1Q0cje7GNXmhs9JkKY6lHqzeM0bwgGdQItPnVXkXBfbjPbkIPPPrtgOE=;
  • In-Reply-To: <Pine.LNX.4.64.0701151448410.6432@dell1.moose.awe.com>
  • Thread-Index: Acc4tmP8HwDF3wC2QQ+AJqcXoggr2QABeUQg
  • Thread-Topic: The CVE-10K Problem

Personally, I like the idea of using the raw number value, whatever it
is.  Although it's a bit disconcerting to see values in the ten
thousands place -- it's a very useful way of identifying the gross scale
of the vulnerability problem.

For all of the security technologies and tools -- you'd think we'd start
seeing fewer raw numbers instead of more, eventually.  I think raw
numbers help keep a sense of scale on the whole vulnerability problem.

Are we winning? It doesn't always sound like it; so, raw numbers seem
more useful to me.

Kevin 

-----Original Message-----
From: owner-cve-editorial-board-list@LISTS.MITRE.ORG
[mailto:owner-cve-editorial-board-list@LISTS.MITRE.ORG] On Behalf Of
Mark J Cox
Sent: Monday, January 15, 2007 9:03 AM
To: Steven M. Christey
Cc: cve-editorial-board-list@LISTS.MITRE.ORG
Subject: Re: The CVE-10K Problem

I like seeing CVE identifiers used in publications that go to
non-technical audiences, and I fear we'd frighten them away with hex.  I
find the year useful, even if it's slightly out by one or two years for
some issues.

I almost liked changing the initial identifier based on the type of
issue (why not put all those vulnerable webapps into CVF-2007) but I
think people would be confused because the CAN prefix mapped to CVE
directly, so
CVE-2004-2001 == CAN-2004-2001 but CVF-2007-0001 != CVE-2007-0001.

I'm pretty sure everyone implementing tools around CVE will have to make
tool changes no matter what, so I'd much prefer us rolling over to
CVE-2007-10000 which is a) what people will expect b) much less of a
hack and c) gives the tools at least half a year to prepare.  I also
prefer it since half the Red Hat tools will work just fine where we used
the regexp C\S\S-\d+-\d+ for validity.

Red Hat itself moved from 3 digit to 4 digit advisory identifiers at the
start of 2006 (we added several new products and we share identifiers
between security and non-security updates).  In the end we didn't need
the whole range in 2006, but because we started it at the start of the
year we were able to add the leading 0 to help fix the sorting issues.

Mark


 
Page Last Updated: May 22, 2007