[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities

On 12/22/2015 02:28 PM, Kurt Seifried wrote:
> What is the purpose of CVE?

The ultimate purpose of the CVE is to facilitate communications and 
understanding.  I'm afraid that the difficulty in obtaining CVE 
identifiers (slow or no responses, opaque processes, identifying an 
appropriate and willing CNA) will be increased by the uncertainty and 
burden of justifying how an issue passes selection criteria extrinsic to 
the subject matter, while simultaneously lowering the usefulness and 
mindshare of the CVE by limiting its ubiquity and scope.  When the CVE 
becomes a net barrier to communications, it will have outlived its 
usefulness.  If that happens, the consequences will be anti-academic. 
Vulnerability communications will be (more) balkanized by multiple 
competing and redundant identifiers, or no identifiers at all, assigned 
at different levels of abstraction, in different languages, 
inconsistently;  some will be proprietary, some private, or semi-private 
("clubs"), and will require the creation of maps, and the mappings could 
require paid subscriptions.  It will be a step back towards private 
libraries, the hoarding and trading of knowledge, encouraging less 
precise and detailed vulnerability announcements.  Fewer, less open, 
less useful security communications will encourage putrescence and a 
decay of software security.

So, it costs money.  However the nature of an enumeration is, either you 
do it all or it's not: "An enumeration is a complete, ordered listing of 
all...".  If MITRE wants to do a partial enumeration, let's change the 
name to PVE...  The benefits of the CVE are international and cannot 
easily be segmented by country or geopolitical alliances, especially in 
the face of open software.  If the costs are too much for the U.S. 
budget, get money internationally or get credit for the effort 
internationally, that is, trade it as a debt other countries owe the 
U.S. for its contributions to software and cyber security, or go home 
because "partial enumeration" is an oxymoron.


Page Last Updated or Reviewed: December 28, 2015