[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30

I wouldn't think so.....it becomes a matter of your particular security
policy.  If you need finger running than for you, you accept whatever
risk(exposure) is involved in running finger. If you know it exposes you to
a certain degree than you tighten up other areas...  If you don't need
finger on any of your boxes, than as a part of your policies it would not be

My $.02 worth


-----Original Message-----
From: Northcutt, Stephen, CIV, BMDO/DSC
Sent: Thursday, August 26, 1999 8:18 AM
To: 'Steven M. Christey'; cve-editorial-board-list@lists.mitre.org
Subject: RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision

I suppose QUESTION isn't one of the options, but ....

I fully agree with the exposure notion.  I also do not agree that finger is
a vulnerability, it is a program and outside of buffer overflows (which
would be vulnerabilities) and what, it does exactly what it was designed to
do.  Soooo.... if I vote to accept this definition, and we say running
finger is an exposure did we just create a back door way to call finger a
vulnerability?  Inquiring minds truly want to know :)

-----Original Message-----
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Tuesday, August 24, 1999 6:59 PM
To: cve-editorial-board-list@lists.mitre.org
Subject: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30

Please vote on this modification of the INCLUSION content decision.
It has been modified to reflect the modifications suggested by the
Board members, and to use the new "exposure" terminology.

Dave Mann and I are concerned that the voting - even with a minimum of
3 people - could slow down the process of CVE candidate acceptance to
the point where the CVE cannot be timely enough to satisfy most uses
for it.  The active participation of Board members is critical for
this approach to be successful.  We should revisit this voting
approach in a few months to ensure that it is striking the delicate
balance between timeliness and accuracy.

- Steve


(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)

Content Decision: INCLUSION (What to include in the CVE)

Modified: 08/24/1999

A candidate entry may be included in the CVE if all of the following
conditions hold:

1) It satisfies either the CVE vulnerability definition or the CVE
exposure definition

2) It does not satisfy any Exception (see other content decisions)

3) At least 50% of active voting members vote on the candidate, and
there are more votes for inclusion (ACCEPT/MODIFY) than exclusion
(REJECT).  An active voter is one who has voted on the particular
candidate or voted for some candidate in the previous two weeks (or
several times in the previous month), and has not declared themselves
to be inactive.

4) Either:
   - at least 3 non-MITRE members vote for inclusion, *OR*
   - the candidate entry predates the initial public release
     of the CVE, and
     - at least 2 non-MITRE members vote for inclusion, and
     - either the entry is confirmed by the vendor, or it is tested by
       at least one well-known security tool (or mentioned in at least
       one well-known vulnerability database) that is not associated
       with a Board member who voted for the candidate

5) The Moderator has determined that further discussion of the
candidate will not affect the decision with respect to the candidate,
*or* it is in the best interests of the CVE to make a decision.

Page Last Updated or Reviewed: May 22, 2007