oss-sec mailing list archives
Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies
From: Art Manion <amanion () cert org>
Date: Thu, 10 Mar 2016 15:37:53 -0500
On 2016-03-05 15:53, Solar Designer wrote:
... or on any third-party doing it. I expect that various existing vulnerability databases will start listing OVE IDs along with other IDs they're currently listing. Whatever IDs are available for an issue. Of course, the information will need to be available to those third-party databases from somewhere - but this can be the researcher's or the vendor's disclosure, as you say. Until such disclosure, a customer would not even be aware of the ID, let alone want to look it up.
There is a group called VRDX-SIG: https://www.first.org/global/sigs/vrdx An approach we are taking is to develop a simple cross-reference protocol, such that any vulnerability ID can be related to any other (e.g., equivalent-to, superset, subset, similar-to, not-equivalent). This approach was chosen intentionally to avoid creating yet another CVE-like system, but to support the expected fracturing of vulnerability ID systems. - Art
Current thread:
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 09)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Alan Coopersmith (Mar 09)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Carlos Alberto Lopez Perez (Mar 10)
- Re: RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Adam Caudill (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies me (Mar 06)
- CVE Replacement Via Blockchains (was: Concerns about CVE coverage shrinking - direct impact to researchers/companies) Tim (Mar 07)