[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE for hosted services



On 2017-02-27 00:56, jericho wrote:

> : What does CAN/CVE mean in this discussion?
> :
> The CNA/CVE abstraction from day one made sense. Historically, it was 
> the 
> board voting on if an issue warranted a CVE assignment. It was a 
> CANdidate 
> until the board voted, or MITRE made an execute decision. The 
> MITRE/CVE 
> site actually showed those votes for a decade.
> 
> If there were two schemes, for vuln in software (i.e. the context and 
> purpose of CVE), for a *decade*...
> 
> How can you possibly ask what CAN/CVE means in this discussion?

I know why CAN/CVE existed.  That reason (early days of defining
vulnerabilities, candidates, discussion, voting, ratification as CVE)
doesn't match what discussing today today (service vs. product vulns).
That's why I'm asking.

I too am interested in other opinions on 1. tracking service vulns at
all and 2. using a new scheme or not.  I'm mildly against using a
number-space carve-out, seems like this could change frequently enough
to cause trouble.  DWF==CVE, so DWF in 7 digits isn't quite the same 
issue.

 - Art


Page Last Updated or Reviewed: February 28, 2017