[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CD PROPOSAL: CATSPEC (Interim Decision 8/24)

Doesn't this complicate things a bit!  Now, for the CD's I just voted on,
should we have had a vote on which categories they applied to?

Is this really necessary?  Do we have CDs which are incorrect for some
categories, or are not applicable.  Big difference.  But, if incorrect
then maybe the CD is flawed.  if n/a, well then do we need a rule for

Sorry I'm rambling.  Steve, maybe an example or two would help me here.


"Steven M. Christey" wrote:

> Please vote on this pervasive content decision using the space
> provided below.  This content decision is scheduled for Interim
> Decision on August 24.
> - Steve
> Content Decision: CATSPEC (Category-Specific Content Decisions)
> ---------------------------------------------------------------
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> Short Description
> -----------------
> A vulnerability's category determines what content decisions are
> applied to it.
> Rationale
> ---------
> In general, software flaws are concrete, well-understood entities that
> have been studied closely, thus it is easier to specify how to
> discriminate between software flaws.  Service/application presence
> problems are also concrete, since the name of the service suffices for
> discrimination.  However, configuration problems are poorly understood
> and have no well-defined language to describe them.  Thus content
> decisions related to configuration problems cannot be effectively
> described.
> The category of the vulnerability (as recorded in CMEX) allows an
> interested observer to understand which content decisions have been
> applied to the vulnerability, which thus affect the level of
> abstraction, inclusion in the CVE, etc.
> In cases where a vulnerability may have multiple categories, content
> decisions are applied in the following order:
> 1) Pervasive
> 2) Exclusions
> 3) Software Flaw
> 4) Configuration Problem
> 5) Service/Application Presence
> If the existing content decisions are not sufficient for
> discriminating between vulnerabilities that the Editorial Board
> believes should be distinguished, then those content decisions need to
> be refined, or new ones added.
org:The MITRE Corporation
adr:;;1820 Dolley Madison Blvd;McLean;VA;22102;
title:INFOSEC Engineer
fn:Bill Hill

S/MIME Cryptographic Signature

Page Last Updated or Reviewed: May 22, 2007