[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Regarding CVE assignments on oss-sec mailing list
- To: Pascal Meunier <pmeunier@cerias.purdue.edu>, "Williams, Ken"<Ken.Williams@ca.com>
- Subject: Re: Regarding CVE assignments on oss-sec mailing list
- From: Art Manion <amanion@cert.org>
- Date: Mon, 30 Nov 2015 16:06:32 -0500
- CC: jericho <jericho@attrition.org>, cve-editorial-board-list<cve-editorial-board-list@lists.mitre.org>
- Delivery-Date: Tue Dec 1 07:58:14 2015
- In-Reply-To: <20151130130526.59fab5aa@saguenay.hubzero.org>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CANO=Ty1ZWyzaqpHE2_0h5rQsmtCVs_dziAv68wXs46TJKjozjg@mail.gmail.com> <alpine.LNX.2.00.1511260014170.10220@forced.attrition.org> <CO1PR01MB110EF47E414E26C0A99CB1AF1010@CO1PR01MB110.prod.exchangelabs.com> <20151130130526.59fab5aa@saguenay.hubzero.org>
- Sender: "owner-cve-editorial-board-list@lists.mitre.org"<owner-cve-editorial-board-list@lists.mitre.org>
- Thread-Index: AQHRKA9HM7U8MTP3lE6Ty0ouLK9pIJ6t1v0AgAVJSwCAAcL6AIAAMpkA
- Thread-Topic: Regarding CVE assignments on oss-sec mailing list
On 2015-11-30 13:05, Pascal Meunier wrote: > Adding a CVE ID 3 months after the publication of an advisory should > only help historians. In my mind that defeats a main purpose of the > CVE, which is to know if Alice, Bob and Charlie are talking about the > same issue or not. I'd suggest there are multiple uses of CVE: * Naming/tagging/enumeration/identification/tracking * De-duplication - Pascal's point, related to enumeration * Trend analysis/history (although coverage/selection bias is an issue) * Validation - currently at least, a populated CVE entry implies a "real" vulnerability * Vulnerability management - a combination of naming, de-duplication, and validation Probably missing other uses. And of course perspectives matter: Historians/trend analysts can work with a longer timeframe, those trying to coordinate disclosures cannot. - Art
- References:
- Regarding CVE assignments on oss-sec mailing list
- From: Kurt Seifried <kseifried@redhat.com>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: jericho <jericho@attrition.org>
- RE: Regarding CVE assignments on oss-sec mailing list
- From: "Williams, Ken" <Ken.Williams@ca.com>
- Re: Regarding CVE assignments on oss-sec mailing list
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Regarding CVE assignments on oss-sec mailing list
- Prev by Date: Re: Regarding CVE assignments on oss-sec mailing list
- Next by Date: RE: Regarding CVE assignments on oss-sec mailing list
- Prev by thread: Re: Regarding CVE assignments on oss-sec mailing list
- Next by thread: RE: Regarding CVE assignments on oss-sec mailing list
- Index(es):
