[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CD PROPOSAL: CATSPEC (Interim Decision 8/24)



I mostly voted noop because I do not see how this decision can adversely
affect any given description. In fact, it almost seems like the methodology
can only improve the content.

Please feel free to clarify or amplify any part of the decision in order to
provide corrections or explantions to myself. :-)

Thank you,
Andre

> -----Original Message-----
> From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
> Sent: Tuesday, August 17, 1999 6:45 PM
> To: cve-editorial-board-list@lists.mitre.org
> Subject: CD PROPOSAL: CATSPEC (Interim Decision 8/24)
> 
> 
> Please vote on this pervasive content decision using the space
> provided below.  This content decision is scheduled for Interim
> Decision on August 24.
> 
> - Steve
> 
> 
> Content Decision: CATSPEC (Category-Specific Content Decisions)
> ---------------------------------------------------------------
> 
> VOTE:NOOP
> 
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> 
> 
> Short Description
> -----------------
> 
> A vulnerability's category determines what content decisions are
> applied to it.
> 
> 
> Rationale
> ---------
> 
> In general, software flaws are concrete, well-understood entities that
> have been studied closely, thus it is easier to specify how to
> discriminate between software flaws.  Service/application presence
> problems are also concrete, since the name of the service suffices for
> discrimination.  However, configuration problems are poorly understood
> and have no well-defined language to describe them.  Thus content
> decisions related to configuration problems cannot be effectively
> described.
> 
> The category of the vulnerability (as recorded in CMEX) allows an
> interested observer to understand which content decisions have been
> applied to the vulnerability, which thus affect the level of
> abstraction, inclusion in the CVE, etc.
> 
> In cases where a vulnerability may have multiple categories, content
> decisions are applied in the following order:
> 
> 1) Pervasive
> 2) Exclusions
> 3) Software Flaw
> 4) Configuration Problem
> 5) Service/Application Presence
> 
> If the existing content decisions are not sufficient for
> discriminating between vulnerabilities that the Editorial Board
> believes should be distinguished, then those content decisions need to
> be refined, or new ones added.
> 

Page Last Updated or Reviewed: May 22, 2007