[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE program priorities
- To: Kurt Seifried <kseifried@redhat.com>, "Boyle, Stephen V."<sboyle@mitre.org>
- Subject: Re: CVE program priorities
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Date: Mon, 28 Dec 2015 08:08:07 -0500
- Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=cerias.purdue.edu;
- CC: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-Date: Mon Dec 28 20:41:19 2015
- In-Reply-To: <CANO=Ty1axNHQDwZwBQdB=1FZp3bxiBAH=xbErV_StFnLyaykOQ@mail.gmail.com>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <CY1PR09MB0873A71369CCDDE1AF00AB26C7E50@CY1PR09MB0873.namprd09.prod.outlook.com> <CANO=Ty1axNHQDwZwBQdB=1FZp3bxiBAH=xbErV_StFnLyaykOQ@mail.gmail.com>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
- SpamDiagnosticOutput: 1:2
- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Icedove/31.8.0
On 12/22/2015 02:28 PM, Kurt Seifried wrote:
> What is the purpose of CVE?
The ultimate purpose of the CVE is to facilitate communications and
understanding. I'm afraid that the difficulty in obtaining CVE
identifiers (slow or no responses, opaque processes, identifying an
appropriate and willing CNA) will be increased by the uncertainty and
burden of justifying how an issue passes selection criteria extrinsic to
the subject matter, while simultaneously lowering the usefulness and
mindshare of the CVE by limiting its ubiquity and scope. When the CVE
becomes a net barrier to communications, it will have outlived its
usefulness. If that happens, the consequences will be anti-academic.
Vulnerability communications will be (more) balkanized by multiple
competing and redundant identifiers, or no identifiers at all, assigned
at different levels of abstraction, in different languages,
inconsistently; some will be proprietary, some private, or semi-private
("clubs"), and will require the creation of maps, and the mappings could
require paid subscriptions. It will be a step back towards private
libraries, the hoarding and trading of knowledge, encouraging less
precise and detailed vulnerability announcements. Fewer, less open,
less useful security communications will encourage putrescence and a
decay of software security.
So, it costs money. However the nature of an enumeration is, either you
do it all or it's not: "An enumeration is a complete, ordered listing of
all...". If MITRE wants to do a partial enumeration, let's change the
name to PVE... The benefits of the CVE are international and cannot
easily be segmented by country or geopolitical alliances, especially in
the face of open software. If the costs are too much for the U.S.
budget, get money internationally or get credit for the effort
internationally, that is, trade it as a debt other countries owe the
U.S. for its contributions to software and cyber security, or go home
because "partial enumeration" is an oxymoron.
Pascal
- Follow-Ups:
- Re: CVE program priorities
- From: Kurt Seifried <kseifried@redhat.com>
- Re: CVE program priorities
- References:
- CVE program priorities
- From: "Boyle, Stephen V." <sboyle@mitre.org>
- Re: CVE program priorities
- From: Kurt Seifried <kseifried@redhat.com>
- CVE program priorities
- Prev by Date: Re: CVE program priorities
- Next by Date: Re: CVE program priorities
- Prev by thread: Re: CVE program priorities
- Next by thread: Re: CVE program priorities
- Index(es):
