[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax Vote - results and next steps




This is seriously devolving. Can we possibly drop the temperature a bit and discuss this civilly?

al


On 18 April 2013 15:04, security curmudgeon <jericho@attrition.org> wrote:
On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:

: Not sure if you just wish to be confrontational or just not looking at
: realities.

I am aiming for a discussion so that we don't keep hitting this voting
stalemate. Further, I could ask if you are trying to be a troll with some
of your comments.

: We have exceeded 10,000 vulnerabilities as a community. If

Please educate us. Which VDBs have documented 10,000 vulnerabilities in a
given year exactly. Then show us which ones I am the content manager of.

That's right. I run the only public VDB that has broken 10k that I am
aware of, and that was in 2006. Since then, we have not hit 10k again but
we are working toward it with our historical backfill effort.

Now, do you want to discuss who is being confrontational and/or who is
trolling here? Again, I state as absolute fact, which is not
confrontational, that historically, we have not hit 10,000 CVEs.

: CVE did not wish to report them all that does not change the situation.

It absolutely does. If CVE says "we aren't going to report on all
vulnerabilities", it speaks to the allocation pool required. If current
guidelines suggest they only monitor X sources, which is a Y percent of
total disclosed vulnerabilities as documented across all VDBs, it gives us
a good idea if 1MIL or 10MIL is ever going to be breached by current or
realistic future policy.

: So what you are arguing about is a single digit?  Really?  By extending
: it a 'single' digit you can most likely get the votes to pass it. A
: single digit?

Actually I am arguing against 'B' more than I am arguing for 'A'. Don't
make assumptions.

I am against the mixed format of 'B' where the padding of zeros applies to
the first 9999 entries, and no more. I want a standard format. If that is
'A' and 6, 7, or 18 digits, or if that is 'B' and no padding at all, I
don't much care. I see the standard digits as easier to work with and it
helps ensure the identifier is correct in length.

: As for being selfish?  you are sadly mistaken. This is a real cost to
: the entire community, All vendors and organizations that use CVE
: internally, they too will have to go through the same QA.  This is not

That is factually incorrect too. This has absolutely NO cost to a large
part of the community, unless you are selfishly describing the community
as "vendors that have technical implementations of the CVE system", of
which I am a part of on two fronts: my day job, and OSVDB. This impacts me
more than it impacts you in some ways.

: selfish, this is a reflection of the costs that ALL in the community are
: going to have to deal with. We want CVE adoption to be universal.  I am

See above. You have delusions on what the "community" entails here I
think. You think Joe Researcher with 4 disclosures a year, that is
currently asking for a CVE has any cost associated with it? No.

Yes, there is a real cost to some members of the community. Yes, you are
in a position to bear a LOT more cost than 99% of the community. Thus, my
assertion that your choice may be biased and selfish. That may be a bit
confrontational, but it is also rooted in logic.

: My opinion is more than clear. I am hoping we will hear from others as
: well.  We know where you stand as well.

Except, you don't. You made assumptions that I outline and clarify above.
Now that I tell you that 'A' or 'B' don't matter, as long as it is
standard, does that change any of your arguments? I've already established
that you are factually incorrect about two things.



--
V.P. Development
Advanced Malware Group
Sourcefire, Inc.
Office: 403-616-7186

Page Last Updated or Reviewed: October 03, 2014