Forwarded from: Kurt Seifried <kurtat_private> http://security.ziffdavis.com/article2/0,3973,1134336,00.asp Actually the hope is that vendors come to Mitre requesting CVE CAN numbers, i.e. you find a vulnerability, you go to SANS/Mitre/etc, start the process, get a CAN entry, that way when you release it has a standard name. If Mitre is left to reactively gather entries and research them (i.e. is this a new issue? already covered? what is it related to? etc.)then of course it will be "old". As for the CAN -> CVE process this isn't that important, the number is still kept, i.e. CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN designation is a rather moot point and non critical item in my opinion. As someone who works for a security vendor I can say that the CVE project reduces my workload measureably (i.e. several hours a week, significantly), people use different terminology and names all the time, as soon as I see a CVE number I can find out in about 1 second what it actually is, as opposed to spending minutes or hours tracing down what a vulnerbaility/fix actually is. BTW, how would having a group to name viruses slow down research, even if it takes them a while to agree on a name? This is one of the most poorly written and researched "security" articles I have ever read, and I've read a lot of bad articles in my time. Kurt Seifried, kurtat_private A15B BEE5 B391 B9AD B0EF AEB0 AD63 0B4E AD56 E574 http://seifried.org/security/ - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Jun 25 2003 - 03:07:08 PDT