[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE numbering



Adam,

Although it would be nice, I don't see why it should be important to get the
CVE index numbers to be roughly chronological. The disadvantages would be as
follows:

- 'Reserving' arbitrary blocks of numbers for backfill or middlefill.
- Difficult to insert CVE indexes in the event that some information source
is unearthed in the future.
- Adds little or no value as to the relative time of discovery, as in the
example where one knowledge base reports the discovery date as several
months different from another site.
- May require reindexing at a future date, thereby requiring version control
and violating the integrity of the index numbers (CVE-1 may not always be
CVE-1).
- May delay entry of information pending authoritative determination of
discovery date.

Instead, we should just indicate that the CVE index is not guaranteed to be
chronological, and possibly use another field (such as date reported) to
indicate when it occurred. In the best possible case, date reported could be
pushed down to the vendor/knowledge-source level so that it can be known
when each vendor reported the identical issue. However, I don't believe that
that's even within the scope of the CVE.

Yet another opinion,
Andre

Andre Frech
afrech@iss.net
Internet Security Systems, Inc.
678.443.6241 / fax 678.443.6479
www.iss.net

Adaptive Network Security for the Enterprise



> -----Original Message-----
> From: Adam Shostack [mailto:adam@netect.com]
> Sent: Tuesday, May 04, 1999 3:33 PM
> To: Steven M. Christey
> Cc: cve-review@linus.mitre.org
> Subject: CVE numbering
>
>
> Steve,
>
> 	Let me start by saying thank you very much for all the effort
> that you and Mitre have put into making this happen.  I look forward
> to the communication paths you've opened making vulnerability
> management practices more effective for everyone.
>
> 	As I start looking through the data, one thing that jumps out
> at me is that you seem to have started at CVE-1, which means that we
> lose the ability to be roughly chronological and backfill.  In our
> discussions at the CERIAS workshop, we had suggested starting at
> 10,000, so that we can put in 1 as "Moth in vaccuum tubes"
>
> Adam
>

 
Page Last Updated: May 22, 2007