oss-sec mailing list archives

Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

From: Art Manion <amanion () cert org>
Date: Thu, 10 Mar 2016 15:37:53 -0500

On 2016-03-05 15:53, Solar Designer wrote:

... or on any third-party doing it.  I expect that various existing
vulnerability databases will start listing OVE IDs along with other IDs
they're currently listing.  Whatever IDs are available for an issue.

Of course, the information will need to be available to those
third-party databases from somewhere - but this can be the researcher's
or the vendor's disclosure, as you say.  Until such disclosure, a
customer would not even be aware of the ID, let alone want to look it up.


There is a group called VRDX-SIG:

  https://www.first.org/global/sigs/vrdx

An approach we are taking is to develop a simple cross-reference
protocol, such that any vulnerability ID can be related to any other
(e.g., equivalent-to, superset, subset, similar-to, not-equivalent).
This approach was chosen intentionally to avoid creating yet another
CVE-like system, but to support the expected fracturing of vulnerability
ID systems.

 - Art

Current thread:

Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- - - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 09)
    - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Alan Coopersmith (Mar 09)
    - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 10)
    - Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 10)
  - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Adam Caudill (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies me (Mar 06)
    - CVE Replacement Via Blockchains (was: Concerns about CVE coverage shrinking - direct impact to researchers/companies) Tim (Mar 07)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Art Manion (Mar 10)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Simon Ward (Mar 07)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies David A. Wheeler (Mar 09)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies gremlin (Mar 05)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Rahul Pratap Singh (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies op7ic \x00 (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies op7ic \x00 (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
    - Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Robert Paprocki (Mar 06)

(Thread continues...)