oss-sec mailing list archives

Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

From: Simon Ward <simon+oss-sec () bleah co uk>
Date: Mon, 07 Mar 2016 11:28:48 +0000

On 5 March 2016 20:25:49 GMT+00:00, Adam Caudill <adam () adamcaudill com> wrote:

Here is what I would like to see:

* Simple ID Request - Data required should be minimal, though I think
a few basic items are needed. Perhaps vendor, product, version(s),
title, and contact information. Optionally, the requestor should be
able to provide their GPG public key, a detailed description,
reference URL(s), etc. The ID should then be instantly issued, and
given a status of assigned.


While I like the idea of being able to trivially get a global identifier for a vulnerability I find those with no 
information,. i.e. Unknown attack vector and impacts, useless. There's no good way to prioritise these: if you assume 
the worst case you get drowned in a sea of vulnerabilities you have to investigate.

Simon
-- 
Sent from Kaiten Mail. Please excuse my brevity.

Current thread:

Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- - - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Alan Coopersmith (Mar 09)
    - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 10)
    - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 10)
  - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Adam Caudill (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies me (Mar 06)
    - CVE Replacement Via Blockchains (was: Concerns about CVE coverage shrinking - direct impact to researchers/companies) Tim (Mar 07)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Art Manion (Mar 10)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Simon Ward (Mar 07)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies David A. Wheeler (Mar 09)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies gremlin (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Rahul Pratap Singh (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies op7ic \x00 (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies op7ic \x00 (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Robert Paprocki (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Gsunde Orangen (Mar 06)

(Thread continues...)