Re: The Common Vulnerabilities and Exposures taxonomy

[Adam Shostack <adam () homeport org>]

On Thu, Oct 21, 1999 at 12:33:34PM -0400, Anton J Aylward wrote:
| On Thursday, October 21, 1999 10:37 AM Adam Shostack said:
| 
| > Russ and Scott have commented on the taxonomy issue, so I'll add that
| > the CVE is also not a database.  The closest analogy is either a
| > multi-lingual dictionary or the latin name for a species (although
| > this is a bad analogy when you dig deep.)
| 
| The multi-lingual database makes sense.
| The latin name for a species is a result of a taxonomy.
| Its not the same thing.

"the CVE is also not a database"  Thus, I'm saying, in agreement with
what Scott and Russ posted, that its not a taxonomy nor a database. 

| Of course you could just stop calling it a "taxonomy" and I'll stop
| berating you for it.

I never called it a taxonomy.  Stop anytime.  :)

| > That is a critical part of
| > starting to share information about vulnerabilities in a structured
| > way.  Such sharing of information -- being able to agree on what
| > you're talking about -- is a critical precursor to doing a scientific
| > analysis of the problems that exist.  (You can do science without it,
| > but its hard.
| 
| Damn right.
| Taxonomy, as many writers on the history of science have pointed out,
| is the basis of a science.   However, there are many pseudo-sciences
| (e.g. close encounters of the Nth kind) that also employ taxonomy
| and statistics to bolster their credibility.  Having a taxonometric system
| doesn't make you a science, lacking one doesn't mean you're not a science.
| Some sciences, for example psychiatry, which overused the category "schizophrenia",
| have been crippled by inappropriate classification schemes.

Good, we can agree now.

-- 
"It is seldom that liberty of any kind is lost all at once."
                                                       -Hume