[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list

On 2015-11-30 13:05, Pascal Meunier wrote:

> Adding a CVE ID 3 months after the publication of an advisory should
> only help historians.  In my mind that defeats a main purpose of the
> CVE, which is to know if Alice, Bob and Charlie are talking about the
> same issue or not.

I'd suggest there are multiple uses of CVE:

* Naming/tagging/enumeration/identification/tracking

* De-duplication - Pascal's point, related to enumeration

* Trend analysis/history (although coverage/selection bias is an issue)

* Validation - currently at least, a populated CVE entry implies a
"real" vulnerability

* Vulnerability management - a combination of naming, de-duplication,
and validation

Probably missing other uses.

And of course perspectives matter:  Historians/trend analysts can work
with a longer timeframe, those trying to coordinate disclosures cannot.

 - Art

Page Last Updated or Reviewed: December 01, 2015