[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Vote - results and next steps



On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:

: Not sure if you just wish to be confrontational or just not looking at 
: realities.  

I am aiming for a discussion so that we don't keep hitting this voting 
stalemate. Further, I could ask if you are trying to be a troll with some 
of your comments.

: We have exceeded 10,000 vulnerabilities as a community. If 

Please educate us. Which VDBs have documented 10,000 vulnerabilities in a 
given year exactly. Then show us which ones I am the content manager of.

That's right. I run the only public VDB that has broken 10k that I am 
aware of, and that was in 2006. Since then, we have not hit 10k again but 
we are working toward it with our historical backfill effort.

Now, do you want to discuss who is being confrontational and/or who is 
trolling here? Again, I state as absolute fact, which is not 
confrontational, that historically, we have not hit 10,000 CVEs.

: CVE did not wish to report them all that does not change the situation.  

It absolutely does. If CVE says "we aren't going to report on all 
vulnerabilities", it speaks to the allocation pool required. If current 
guidelines suggest they only monitor X sources, which is a Y percent of 
total disclosed vulnerabilities as documented across all VDBs, it gives us 
a good idea if 1MIL or 10MIL is ever going to be breached by current or 
realistic future policy.

: So what you are arguing about is a single digit?  Really?  By extending 
: it a 'single' digit you can most likely get the votes to pass it. A 
: single digit?

Actually I am arguing against 'B' more than I am arguing for 'A'. Don't 
make assumptions.

I am against the mixed format of 'B' where the padding of zeros applies to 
the first 9999 entries, and no more. I want a standard format. If that is 
'A' and 6, 7, or 18 digits, or if that is 'B' and no padding at all, I 
don't much care. I see the standard digits as easier to work with and it 
helps ensure the identifier is correct in length.

: As for being selfish?  you are sadly mistaken. This is a real cost to 
: the entire community, All vendors and organizations that use CVE 
: internally, they too will have to go through the same QA.  This is not 

That is factually incorrect too. This has absolutely NO cost to a large 
part of the community, unless you are selfishly describing the community 
as "vendors that have technical implementations of the CVE system", of 
which I am a part of on two fronts: my day job, and OSVDB. This impacts me 
more than it impacts you in some ways.

: selfish, this is a reflection of the costs that ALL in the community are 
: going to have to deal with. We want CVE adoption to be universal.  I am 

See above. You have delusions on what the "community" entails here I 
think. You think Joe Researcher with 4 disclosures a year, that is 
currently asking for a CVE has any cost associated with it? No.

Yes, there is a real cost to some members of the community. Yes, you are 
in a position to bear a LOT more cost than 99% of the community. Thus, my 
assertion that your choice may be biased and selfish. That may be a bit 
confrontational, but it is also rooted in logic.

: My opinion is more than clear. I am hoping we will hear from others as 
: well.  We know where you stand as well.

Except, you don't. You made assumptions that I outline and clarify above. 
Now that I tell you that 'A' or 'B' don't matter, as long as it is 
standard, does that change any of your arguments? I've already established 
that you are factually incorrect about two things.


 
Page Last Updated: June 26, 2013