[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
- To: <cve-editorial-board-list@lists.mitre.org>
- Subject: Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Wed, 20 Feb 2002 22:04:24 -0500
- Delivery-Date: Wed Feb 20 22:08:08 2002
- In-Reply-To: <CF8198D865C1CE42A63C431B42B4D2577A0FBC@RED-MSG-10.redmond.corp.microsoft. com>
- References: <CF8198D865C1CE42A63C431B42B4D2577A0FBC@RED-MSG-10.redmond.corp.microsoft. com>
- Sender: owner-cve-editorial-board-list@lists.mitre.org
At 1:55 PM -0800 2/19/02, David LeBlanc wrote: > >Ah, but we're not very careful to make sure that a problem actually >_exists_ before assigning a CAN to it. There's noise on both ends of the >process. So we should complain about vendors not supplying you with test >exploits and extremely detailed information, but not complain about >vague, poorly written and unreproducible vuln reports that end up in the >CVE? If we're going to start griping about vagueness, let's gripe about >all the vagueness problems, not just some of them. Agreed. I think that low quality CANs made for lack of better information should carry a warning or disclaimer. It doesn't matter if the information comes from the vendor or a discoverer, if there are grounds to suspect it to be dubious. I am willing to let the disclaimer be put at the discretion of the CVE content team. Anyone else agrees to that? Cheers, Pascal -- Pascal Meunier, Ph.D., M.Sc. Assistant Research Scientist, CERIAS Purdue University
- Prev by Date: [TECH] "Responsible Disclosure Process" released
- Next by Date: [TECH] CD:VAGUE and its effect on 46 candidates
- Prev by thread: [TECH] "Responsible Disclosure Process" released
- Next by thread: [TECH] CD:VAGUE and its effect on 46 candidates
- Index(es):
