[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Qualcom (and other) Android CVE IDs

On 2017-06-14 16:08, Pascal Meunier wrote:

> Identification is our mission;  source code commits are awesome for 
> that
> and in that case I'd suggest saying "but in (a) different (part of 
> the)
> code than CVE-... (commit links forthcoming)".  That would be
> exceptionally good. 

Or name a function even, if that's an appropriate level of abstraction 
at which to differentiate.

> I believe impact isn't necessary for identification, although it can
> help.  Sometimes the impact can be up to someone with enough 
> imagination
> to get something else to happen.  So if we rely on impact as the only
> thing differentiating a CVE from another, or a crucial (required)
> identification factor, then the CVE entries could be on shifting
> grounds.

Agree.  Identification (and sufficient de-duplication) is the main 
goal, technical impact is (strongly?) preferred but optional.

 - Art

Page Last Updated or Reviewed: June 15, 2017