[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

Scott Lawler said:

>I'm sure if we beat this to [death] long enough we can come up with a
>metric for vagueness too.  :-)

Funny you should mention that...  I'm currently preparing the next CVE
version, which means reviewing the candidates that have enough ACCEPT
votes, making final modifications, etc.  Since CD:VAGUE is so new,
*and* this is the first time I've reviewed the major batch of legacy
candidates that was proposed in September, I'm finding a number of
candidates that are directly affected by CD:VAGUE.  Besides the old
CERT advisories and other advisories I've alluded to in past emails,
I'm running across a few examples that pose the question: "how vague
is too vague?"  I'll ask this question (and others), and provide
specific examples, sometime after a few hundred less questionable
candidates are moved to the Interim Decision phase.

- Steve

Page Last Updated or Reviewed: May 22, 2007