Not sure if you just wish to be confrontational or just not looking at realities. We have exceeded 10,000 vulnerabilities as a community. If CVE did not wish to report them all that does not change the situation. We can all decide to re-scope CVE so we will never get over 10K by putting on the brakes in June when we get to 5K. What service does that do the community? Not reporting an issue just means that we as a community are deaf, dumb and blind to that attack vector.
There are funding, process and resource issues as to why we decided to scope down and focus only on a set of products. I never have believed that was right for the community but you have to work within what you have. The value of CVE is in reporting vulnerabilities to the community. What we are forced to do today because of the constraints given does not mean we should be shortsighted with the potential needs of the future.
So what you are arguing about is a single digit? Really? By extending it a 'single' digit you can most likely get the votes to pass it. A single digit…
As for being selfish… you are sadly mistaken. This is a real cost to the entire community, All vendors and organizations that use CVE internally, they too will have to go through the same QA. This is not selfish, this is a reflection of the costs that ALL in the community are going to have to deal with. We want CVE adoption to be universal. I am voting for those that have to adopt this in their products, customers that have to use it in their internal security databases and systems. Selfish I am not, I am looking at the ENTIRE impact of this on the community not on a single database.
My opinion is more than clear. I am hoping we will hear from others as well. We know where you stand as well.
From: security curmudgeon <firstname.lastname@example.org>
Date: Thursday, April 18, 2013 2:30 PM
To: Kent Landfield <Kent_Landfield@McAfee.com>
Cc: "email@example.com" <firstname.lastname@example.org>
Subject: Re: CVE ID Syntax Vote - results and next steps