[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement



On Sat, 8 Oct 2016, Pascal Meunier wrote:

: I think that problem belongs to scanner vendors or the NVD, who 
should 
: worry about which vendors exactly are affected, which software 
versions, 

That is why the industry is in horrible shape. NVD doesn't even try to 
keep up with vendors impacted to that degree. I'm sure if they tried, 
they 
would ask for a lot more money to do so.

: and which advisories apply to which, and which to report in the 
scanner 
: findings.  It reminds me of Steve's mantra, "the CVE is not a 
: vulnerability database". Based on that mantra and your argumentation 
: being based on what a full-service vulnerability database can or 
should 
: do ideally, I believe the CVE should not be distorted for it.  
Besides, 

I had long debates with Christey over his mantra for many years, which 
I 
think is absurd personally. While we appreciate each other's arguments, 
the fact is almost every major security vendor that relies on 
vulnerability information uses CVE, and treats it like a VDB. More 
telling, is that every commercial VDB out there shares a common "#1 
competition", and it isn't each other at all. CVE/NVD are the reason 
companies opt not to pay for better vulnerability intelligence. So use 
whatever term you want, it is completely irrelevant as far as the 
practical use as seen in the wild today.

: I bet most scanners would report *all* such CVEs if they could not 
: determine the vendor, and count them as individual findings against 
the 

Nessus certainly wouldn't.

Brian


Page Last Updated or Reviewed: October 10, 2016