[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- To: "Steven M. Christey" <coley@linus.mitre.org>
- Subject: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- From: Gene Spafford <spaf@cs.purdue.edu>
- Date: Tue, 20 Jul 1999 22:44:36 -0500
- Cc: cve-editorial-board-list@lists.mitre.org
- In-Reply-To: <199907210332.XAA10246@basie.mitre.org>
- References: <199907210332.XAA10246@basie.mitre.org>
- Reply-To: spaf@cs.purdue.edu
Hmm, interesting. Suppose we consider a "rule of thumb:" Any software that functions according to its specification, and whose correct functioning is within the bounds of a common security policy (but not necessarily *every* policy) will NOT be considered a vulnerability for inclusion in the CVE." Thus, the finger program would not be a vulnerability so long as all of its functions are correct and known. We might allow its use in an academic environment, so it is not a vulnerability. By that token, I would contend that guessable passwords are not a vulnerability, either. Of course, this introduces the question of where do we get complete specifications and common policies.... :-) --spaf
- References:
- PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- From: "Steven M. Christey" <coley@linus.mitre.org>
- PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Prev by Date: CONTENT DECISION: Discussion related to DESIGN and NTCONFIG clusters
- Next by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Prev by thread: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
- Index(es):
