Re: [ISN] A Dictionary For Vulnerabilities

From: InfoSec News (isnat_private)
Date: Thu Jun 26 2003 - 01:50:07 PDT

  • Next message: InfoSec News: "[ISN] School district computer network left student records available to public"

    Forwarded from: Adam Shostack <adamat_private>
    
    On Wed, Jun 25, 2003 at 02:39:50AM -0500, InfoSec News wrote:
    | Forwarded from: Kurt Seifried <kurtat_private>
    
    | related to? etc.)then of course it will be "old". As for the CAN ->
    | CVE process this isn't that important, the number is still kept, i.e.
    | CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that
    | the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN
    | designation is a rather moot point and non critical item in my
    | opinion.
    
    Actually, the CVE designation means that it's been through a quality
    assurance process, mainly the editorial board has voted to accept it,
    and the CVE team at MITRE has fine-tooth-combed it (duplicate
    avoidance, etc.)
    
    But Kurt is spot on; researchers can go to MITRE for a CAN number, and
    attach one before the issue becomes public.  Sometimes, MITRE will ask
    that the vendor assign the number (many vendors have blocks that they
    can hand out.)  They do this so that a double-discovered issue only
    has one name, and it keeps MITRE out of the politics of discovery date
    and disclosure from one researcher to another.
    
    | As someone who works for a security vendor I can say that the CVE
    | project reduces my workload measureably (i.e. several hours a week,
    | significantly), people use different terminology and names all the
    | time, as soon as I see a CVE number I can find out in about 1 second
    | what it actually is, as opposed to spending minutes or hours tracing
    | down what a vulnerbaility/fix actually is.
    
    Preach it, brother! 
    
    Getting a CAN assigned for your new issue is easy, any responsible
    researcher should do it, because as Kurt mentioned, it saves the rest
    of the world enourmous effort.
    
    | BTW, how would having a group to name viruses slow down research, even
    | if it takes them a while to agree on a name?
    
    Well, we'd get names like slammer and bugbear, instead of
    CAN-2003-8573.  Slammer's easier to say. ;)
    
    Adam
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 04:17:25 PDT