[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities )

Andre Frech said:

>there are several pending items in CVE that are only cross-referenced
>by security tool references, or no references at all.

The candidates that have no references at all, or have vague
descriptions, are generally slated for rejection.  The voting record
normally shows that the voters get confused as to which issue is being
discussed.  It's the worst with the items from the "draft CVE" of
summer 1999, because I didn't realize how important detailed
descriptions and good references were :-) Vague descriptions and
poor/no references also increase the likelihood of mapping errors in
CVE-compatible products, another reason why these types of CVEs should
be avoided.

Note: some of these issues may have been promoted to official CVE
entries in the early days.

>Some of the latter category we have located in our database as items
>in competitor's scanning features

This is not particularly surprising since the draft CVE was populated
mostly from CERT advisories and scanner tool databases.  It is also
possible that some of these were promoted to entries as well.

>or (worse yet) unconfirmed/unreferenced issues that have been picked
>up by the SANS Top 20 list.

I'll review the list myself and try to see which CANs you're referring
to, unless you have some specific examples.

Eric Cole can talk more on this if he wishes, but many items in the
Top 20 were identified as examples of the types of problems that the
Top 20 was talking about.  But since it was me who provided the
CVE/CAN names for the examples, the blame is solely mine.

>I don't know if these items can be rounded up into CD:VAGUE or if
>there is another content decision affecting them, but there seem to be
>enough of them to define a CD:VAGUE EXCLUSION type.

I'd like CD:VAGUE to focus explicitly on vendor advisories, but I have
generally taken the approach that a vaguely written candidate without
explicit supporting references should be REJECTed.  I haven't
formalized this as a CD, however, though as you suggest, maybe I

- Steve

Page Last Updated or Reviewed: May 22, 2007