Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Re: A Dictionary For Vulnerabilities

From: InfoSec News <isn () c4i org>
Date: Thu, 26 Jun 2003 03:50:07 -0500 (CDT)
Forwarded from: Adam Shostack <adam () lagrange informedsecurity com>

On Wed, Jun 25, 2003 at 02:39:50AM -0500, InfoSec News wrote:
| Forwarded from: Kurt Seifried <kurt () seifried org>

| related to? etc.)then of course it will be "old". As for the CAN ->
| CVE process this isn't that important, the number is still kept, i.e.
| CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that
| the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN
| designation is a rather moot point and non critical item in my
| opinion.

Actually, the CVE designation means that it's been through a quality
assurance process, mainly the editorial board has voted to accept it,
and the CVE team at MITRE has fine-tooth-combed it (duplicate
avoidance, etc.)

But Kurt is spot on; researchers can go to MITRE for a CAN number, and
attach one before the issue becomes public.  Sometimes, MITRE will ask
that the vendor assign the number (many vendors have blocks that they
can hand out.)  They do this so that a double-discovered issue only
has one name, and it keeps MITRE out of the politics of discovery date
and disclosure from one researcher to another.

| As someone who works for a security vendor I can say that the CVE
| project reduces my workload measureably (i.e. several hours a week,
| significantly), people use different terminology and names all the
| time, as soon as I see a CVE number I can find out in about 1 second
| what it actually is, as opposed to spending minutes or hours tracing
| down what a vulnerbaility/fix actually is.

Preach it, brother! 

Getting a CAN assigned for your new issue is easy, any responsible
researcher should do it, because as Kurt mentioned, it saves the rest
of the world enourmous effort.

| BTW, how would having a group to name viruses slow down research, even
| if it takes them a while to agree on a name?

Well, we'd get names like slammer and bugbear, instead of
CAN-2003-8573.  Slammer's easier to say. ;)

Adam



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: