RE: Counting on CVEs

To: Russ Cooper <Russ.Cooper@rc.on.ca>
Subject: RE: Counting on CVEs
From: security curmudgeon <jericho@attrition.org>
Date: Thu, 8 Mar 2012 02:31:03 -0600
CC: "cve-editorial-board-list@lists.mitre.org"<cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Thu Mar 8 03:32:16 2012
In-Reply-To: <A27B80707A1E924891446594C00EBA8C52B245E2@Sunfish.rc.on.ca>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <CB7CD170.2DC8A%kent_landfield@mcafee.com> <ED311CBEE6993C428563DEDF6D083BC81180FBF7@usilms113b.ca.com> <A27B80707A1E924891446594C00EBA8C52B245E2@Sunfish.rc.on.ca>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)

: ?In the beginning??we talked about needing 1 CVE number to represent 
: integer overflow, or another for insufficient parsing?clearly that never 
: stuck. But equally, it would seem that some vendors would like to assign 
: a CVE per ?threat?, which should also have never stuck.

There is CWE for that: http://cwe.mitre.org/

: I?m unaware of > 10,000 new vulnerabilities per year, at least not in 
: what I would consider ?new vulnerabilities?. That?s one heck of a lot of 
: lines of code, but if you?re counting vulnerabilities in Android Apps, 
: then I could also see that number be incredibly low. So perhaps the 
: issues aren?t with vulnerabilities, but instead with exposures??

OSVDB has 10,895 entries for 2006. Note, that OSVDB abstracts very 
differently than CVE or any other VDB currently, so I would guess we're 
the only ones who have hit that mark.

There is additional discussion on CVE handling the #### issue on the 
CERT-run vrdx mail list.

Follow-Ups:
- Re: Counting on CVEs
  - From: Art Manion <amanion@cert.org>

References:
- Counting on CVEs
  - From: <Kent_Landfield@McAfee.com>
- RE: Counting on CVEs
  - From: "Williams, James K" <James.Williams@ca.com>
- RE: Counting on CVEs
  - From: Russ Cooper <Russ.Cooper@rc.on.ca>

Prev by Date: RE: Counting on CVEs
Next by Date: Re: Counting on CVEs
Prev by thread: RE: Counting on CVEs
Next by thread: Re: Counting on CVEs
Index(es):
- Date
- Thread

Page Last Updated: November 06, 2012

Common Vulnerabilities and Exposures

RE: Counting on CVEs