[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CD PROPOSAL: CATSPEC (Interim Decision 8/24)

Please vote on this pervasive content decision using the space
provided below.  This content decision is scheduled for Interim
Decision on August 24.

- Steve


Content Decision: CATSPEC (Category-Specific Content Decisions)
---------------------------------------------------------------

VOTE:

(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)


Short Description
-----------------

A vulnerability's category determines what content decisions are
applied to it.


Rationale
---------

In general, software flaws are concrete, well-understood entities that
have been studied closely, thus it is easier to specify how to
discriminate between software flaws.  Service/application presence
problems are also concrete, since the name of the service suffices for
discrimination.  However, configuration problems are poorly understood
and have no well-defined language to describe them.  Thus content
decisions related to configuration problems cannot be effectively
described.

The category of the vulnerability (as recorded in CMEX) allows an
interested observer to understand which content decisions have been
applied to the vulnerability, which thus affect the level of
abstraction, inclusion in the CVE, etc.

In cases where a vulnerability may have multiple categories, content
decisions are applied in the following order:

1) Pervasive
2) Exclusions
3) Software Flaw
4) Configuration Problem
5) Service/Application Presence

If the existing content decisions are not sufficient for
discriminating between vulnerabilities that the Editorial Board
believes should be distinguished, then those content decisions need to
be refined, or new ones added.
Page Last Updated or Reviewed: May 22, 2007