[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Second CVE ID syntax vote - status inquiry

Symantec's voting choice

-Mike Prosser

CVE ID Syntax Change - Second Round Voting Ballot
- Deadline May 22, 2013, 11:59 PM EDT

Filling out the ballot

1) As specified in the VOTING BALLOT below, clearly indicate your
   FIRST CHOICE and SECOND CHOICE.  For each choice, list either
   "OPTION A" or "OPTION B".

   - Each option can only be listed once.

   - The FIRST choice is the syntax option that is your primary
     This is the option that you most want CVE to use.

   - The SECOND choice is the option that you would select *if* your
     FIRST choice is not accepted.

2) For each choice, fill out the associated REASONS section to give
   your reason(s) for supporting (or not supporting) your choice. The
   reason(s) must be in plain text and included in-line with the form,
   not as an attachment. There is no limit on the length of your


OPTION A: Year + 8 digits, with leading 0's

-  Examples: 
   CVE-2014-00000001, CVE-2014-00000999, CVE-2014-00001234, 
   CVE-2014-00009999, CVE-2014-00010000, CVE-2014-00123456, 
   CVE-2014-01234567, CVE-2014-12345678

OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

-  Examples: 
   CVE-2014-0001, CVE-2014-0999, CVE-2014-1234, CVE-2014-9999, 
   CVE-2014-10000, CVE-2014-54321, CVE-2014-99999, 
   CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, 


Enter your votes as specified in the preceding "Instructions" and "Filling out the ballot" sections.



REASONS (first choice): 

Not sure we need the 7-digits but Option B provides the best flexibility with the least probabilities of errors from the leading zeros in Option A.  Human nature and errors being what they are, that many leading zeros is too error/transcription prone.  
Option B is the closest to what our customers are used to seeing and working with.  The majority of our customers are now using the CVE ID as the actual vulnerability name when asking questions.  As in "Does CVE-2013-12345 impact us?"  So, since we have finally been able to reach the point where CVEs are widely accepted and used, modifications need to be as non-disruptive as possible.  

Realize this view is seen as putting consumers ahead of the community, but if there weren't consumers, not sure how much of a community would be left.

While Option B may not have been everyone's favorite choice initially, it's the best choice of these two. 



REASONS (second choice): It's the second of two and while might be a good choice due to a set character length as opposed to Option B, the number of leading zeros leaves too much room for errors 

Page Last Updated or Reviewed: October 03, 2014