[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement

On Sun, 9 Oct 2016, Chandan Nandakumaraiah wrote:

: On 10/9/16 7:13 PM, jericho wrote:
: > If you want to then turnaround and issue one ID for implementation 
: > when the protocol spec is correct, you aren't being consistent.
: It is the flaw that is being assigned an ID.
: If the flaw is very specific and unique to the implementations of a 
: particular protocol, it should get a single ID, irrespective of the 
: affected products or vendors.

You are now equating the two sides of the abstraction debate and aren't 
being consistent or clear yourself. "It is the flaw that is being 
an ID" then immediately say "if the flaw is very specific and unique to 
the implementations ... it should get a single ID". You can't have it 

: >  The important part is to stay consistent in the handling of such 
: > issues. 
: Consistently doing a wrong thing does not make it right.

Re-read my email. I very specifically say that if we change the 
that is fine, but we need to very publicly state that. I am not arguing 
stick to the old way, or move to the new way. I am playing both sides 
the debate because both have merit, and I have said that several times. 

: > Again, I see the benefit of each method and unfortunately, the 
benefits of 
: > each way help different types of InfoSec professionals. If we go 
one way, 
: > we please academics, (some) VDBs, and (some) auditors. If we go the 
: > way, we please system admins, (some) VDBs, and (some) auditors.
: I have only seen confusion and misunderstandings due to such 
: IDs. There is always a danger of some valid vulnerability being 
: as a false positive because the MITRE description said something 
: the CVE being applicable only to a certain vendor's product.

Can you cite a specific example?

And that would not happen if CVE's coverage was better, and addressed 
those additional products that were impacted. Either adding them to the 
base entry (e.g. if it is a protocol flaw), or abstracting out for 
additional vendors if that is the decision.

Ultimately, this boils down to a simple "do we abstract or not" 
for CVE, but must consider the coverage argument above. There are 
for abstracting, and there are merits for assigning a single CVE. I 
know I 
don't have a pulse on the entire industry, no one does... but working 
a vuln scanner company and a commercial VDB, I see at least two big 
to his argument. There WILL be confusion, regardless of what side we 
That is the fact. Saying there is confusion is a non sequitur, that 
be obvious to anyone familiar with this arena, as I outlined both sides 


Page Last Updated or Reviewed: October 19, 2016