
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Counting on CVEs
- To: "Boyle, Stephen V." <sboyle@mitre.org>
- Subject: Re: Counting on CVEs
- From: Art Manion <amanion@cert.org>
- Date: Thu, 8 Mar 2012 15:55:43 -0500
- CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Thu Mar 8 15:56:33 2012
- In-Reply-To: <5084579A0A81C947AB6E6BFB7AFCF9DF13DC66@IMCMBX02.MITRE.ORG>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- OpenPGP: id=36C268A3
- References: <CB7CD170.2DC8A%kent_landfield@mcafee.com> <5084579A0A81C947AB6E6BFB7AFCF9DF13DC66@IMCMBX02.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:10.0.2) Gecko/20120216 Thunderbird/10.0.2
On 2012-03-08 11:52 , Boyle, Stephen V. wrote: > This might sound like splitting hairs, but how “vulnerabilities” are > counted may well enter into this. I’m not claiming that CVE is keeping > up – both Kent and others have correctly stated reasons and history that > apply, and yeah, somebody who’s only looking at somebody’s raw numbers > (be they CVE or anything else) is going to ask hard questions, > especially when money is hard to come by. > > Having said that, it bears mentioning that by design, there are always > going to be fewer CVEs than there are “vulnerabilities” – it’s kinda one > of the key features. JThere are also more players in the space than > there were a few years ago, each of which has multiple incentives to > publish more vulnerabilities than others. > > Again, I am not saying there’s not a problem – we have to be able to > answer honest questions such as the one Kent relayed. But we also have > to be mindful of what are real, what counting problems exist in all > vulnerability reporting sources, and what that means for CVE. The questions remain IMO: 1. What level of abstraction is appropriate for CVE? 2. What level of completeness is appropriate for CVE? How narrowly do we define "vulnerability," the thing to name/count? Is there desire/need for an accurate count of vulnerabilities? OSVDB either abstracts a little more narrowly than CVE and/or collects more vulnerabilities, so OSVDB has higher numbers. If CVE or any other database were to try to name and count all publicly disclosed vulnerabilities, it would be important to be able to distinguish between a vulnerability that is one of a dozen XSS bugs in a PHP web app and a vulnerability that is a straight up stack buffer overflow in httpd. Sure, count them all, but be able to say that out of 20K vulnerabilities named this year, 61% were XSS or SQLi in web apps with low distribution. I'm guessing at some numbers in the above example, but this is a big reason IMO that CVE numbers have declined. Vulnerabilities "worth tracking with a CVE" have declined, not the total number of vulnerabilities. Another way to look at it might be that thee criteria for "worth tracking with a CVE" has changed. And we're not even talking about threat or asset values (both of which have changed over time, and are different depending on your site/assets), which influence risk. So a decrease in CVE IDs has little directly to do with internet risk overall. - Art
- Follow-Ups:
- RE: Counting on CVEs
- From: Tim Keanini <tkeanini@ncircle.com>
- Re: Counting on CVEs
- From: security curmudgeon <jericho@attrition.org>
- RE: Counting on CVEs
- References:
- Counting on CVEs
- From: <Kent_Landfield@McAfee.com>
- RE: Counting on CVEs
- From: "Boyle, Stephen V." <sboyle@mitre.org>
- Counting on CVEs
- Prev by Date: RE: Counting on CVEs
- Next by Date: RE: Counting on CVEs
- Prev by thread: RE: Counting on CVEs
- Next by thread: RE: Counting on CVEs
- Index(es):
