[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

Pascal and Steve,
My take on this is a practical one as always. If a vendor chooses to
release something vague, they are openly admitting that they have a
problem that requires patching.  The vendor admits that an exposure or
vulnerability exists.  While I wish we lived in a world of perfect
information that is not the case.  I think CD:VAGUE will help us deal
with that imperfection provided we don't overuse it.

I think it's important to remember that one of the primary uses of CVE is
to help get systems properly secured.   In the cases where a vendor says
"You need to install this patch", I think that warrants a CVE entry...even if it
is a little vague.  

If we start assigning VAGUE to unconfirmed items, it could get a
little messy.  Maybe we need to specify in the definition that VAGUE
specifically refers to vague VENDOR confirmed reports rather than vague
in general.  

I'm sure if we beat this to deal long enough we can come up with a
metric for vagueness too.  :-)


Scott Lawler, CISSP

Page Last Updated or Reviewed: May 22, 2007