Re: [ISN] A Dictionary For Vulnerabilities

From: InfoSec News (isnat_private)
Date: Thu Jun 26 2003 - 01:50:07 PDT

Next message: InfoSec News: "[ISN] School district computer network left student records available to public"

Previous message: InfoSec News: "Re: [ISN] A Dictionary For Vulnerabilities"
Maybe in reply to: InfoSec News: "[ISN] A Dictionary For Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Forwarded from: Adam Shostack <adamat_private>

On Wed, Jun 25, 2003 at 02:39:50AM -0500, InfoSec News wrote:
| Forwarded from: Kurt Seifried <kurtat_private>

| related to? etc.)then of course it will be "old". As for the CAN ->
| CVE process this isn't that important, the number is still kept, i.e.
| CAN-2003-0001 -> CVE-2003-0001. The CVE designation simply means that
| the issue is "closed", i.e. the vendor has addressed it. The CVE/CAN
| designation is a rather moot point and non critical item in my
| opinion.

Actually, the CVE designation means that it's been through a quality
assurance process, mainly the editorial board has voted to accept it,
and the CVE team at MITRE has fine-tooth-combed it (duplicate
avoidance, etc.)

But Kurt is spot on; researchers can go to MITRE for a CAN number, and
attach one before the issue becomes public.  Sometimes, MITRE will ask
that the vendor assign the number (many vendors have blocks that they
can hand out.)  They do this so that a double-discovered issue only
has one name, and it keeps MITRE out of the politics of discovery date
and disclosure from one researcher to another.

| As someone who works for a security vendor I can say that the CVE
| project reduces my workload measureably (i.e. several hours a week,
| significantly), people use different terminology and names all the
| time, as soon as I see a CVE number I can find out in about 1 second
| what it actually is, as opposed to spending minutes or hours tracing
| down what a vulnerbaility/fix actually is.

Preach it, brother! 

Getting a CAN assigned for your new issue is easy, any responsible
researcher should do it, because as Kurt mentioned, it saves the rest
of the world enourmous effort.

| BTW, how would having a group to name viruses slow down research, even
| if it takes them a while to agree on a name?

Well, we'd get names like slammer and bugbear, instead of
CAN-2003-8573.  Slammer's easier to say. ;)

Adam



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.

Next message: InfoSec News: "[ISN] School district computer network left student records available to public"
Previous message: InfoSec News: "Re: [ISN] A Dictionary For Vulnerabilities"
Maybe in reply to: InfoSec News: "[ISN] A Dictionary For Vulnerabilities"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 26 2003 - 04:17:25 PDT