[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CVEPRI] CVE accuracy, consistency, stability, and timeliness

Andre Frech asked:

>Being more specific helps all communities; the more exacting
>communities could have a method for organizing or excluding what they
>believe is spurious, but you can never reference what's not there.
>Whatever you do, try and avoid the shopping carts mentioned in those
>11 CANs.) :-) :-)

Actually, recent discussions make it clear what to do with shopping
cart vulnerabilities.  Consider:

1) The exploits are usually different

2) The problems are present in products owned by many different

3) The products often provide somewhat different functionality

4) Many of the products don't have source code, so you can only guess
   at whether they have the same bugs or not

There is no conclusive evidence that these problems all arise from the
same code.  Therefore, to follow "Board Doctrine" as it were, they
should remain SPLIT until someone proves otherwise. :-)

- Steve

Page Last Updated or Reviewed: May 22, 2007