Information Security News mailing list archives
Re: A Dictionary For Vulnerabilities
From: InfoSec News <isn () c4i org>
Date: Thu, 26 Jun 2003 03:50:07 -0500 (CDT)
Forwarded from: Adam Shostack <adam () lagrange informedsecurity com> On Wed, Jun 25, 2003 at 02:39:50AM -0500, InfoSec News wrote: | Forwarded from: Kurt Seifried <kurt () seifried org> | related to? etc.)then of course it will be "old". As for the CAN -> | CVE process this isn't that important, the number is still kept, i.e. | CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that | the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN | designation is a rather moot point and non critical item in my | opinion. Actually, the CVE designation means that it's been through a quality assurance process, mainly the editorial board has voted to accept it, and the CVE team at MITRE has fine-tooth-combed it (duplicate avoidance, etc.) But Kurt is spot on; researchers can go to MITRE for a CAN number, and attach one before the issue becomes public. Sometimes, MITRE will ask that the vendor assign the number (many vendors have blocks that they can hand out.) They do this so that a double-discovered issue only has one name, and it keeps MITRE out of the politics of discovery date and disclosure from one researcher to another. | As someone who works for a security vendor I can say that the CVE | project reduces my workload measureably (i.e. several hours a week, | significantly), people use different terminology and names all the | time, as soon as I see a CVE number I can find out in about 1 second | what it actually is, as opposed to spending minutes or hours tracing | down what a vulnerbaility/fix actually is. Preach it, brother! Getting a CAN assigned for your new issue is easy, any responsible researcher should do it, because as Kurt mentioned, it saves the rest of the world enourmous effort. | BTW, how would having a group to name viruses slow down research, even | if it takes them a while to agree on a name? Well, we'd get names like slammer and bugbear, instead of CAN-2003-8573. Slammer's easier to say. ;) Adam - ISN is currently hosted by Attrition.org To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY of the mail.
Current thread:
- A Dictionary For Vulnerabilities InfoSec News (Jun 24)
- <Possible follow-ups>
- Re: A Dictionary For Vulnerabilities InfoSec News (Jun 25)
- Re: A Dictionary For Vulnerabilities InfoSec News (Jun 26)