RE: CVE numbering
Ok, Adam's point really was just that we had "agreed" to use 10,000 as a
starting number, and he actually assigned numbers to a few items based
on this understanding.
The number *is* irrelevant. Really, there are no advantages or
disadvantages to any numbering system we use because we are, I hope,
striving to keep away from the in-depth analytical data that the CERIAS
VdB is attempting to put with the names/numbers the CVE enumerates.
What's important is that we have a way to issue a "value", have it be
unique, and get vendors to adopt is as a reference value.
Beyond that, any other implications derived from the "value" are merely
superficial and subject to the particular penchant of the people viewing
the data (oh, its number 13, it must have been a really big problem!).
We should not spend a great deal of time on the enumeration "value". I'm
sure Adam would prefer not to change what he already understood to be
settled, but in the end it really does not matter a hoot what we use.
IMO, no attempt should be made to put the items in chronological order.
>From Mitre's perspective, there's no desire to even properly attribute
the discovery or first announcement of vulnerabilities. This gets into
liability issues, or at least, the possibility of ticking someone off
for not being attributed. If anything, quoting sources of information
that were used to derive the info that makes an item worthy of a CVE
entry makes the most sense. This isn't done to attribute, but to justify
its "acceptance" and provide clarification. I think my last discussions
with Steve et al indicated that even this may not be done...which is
fine by me.
We should remember to stay tightly focused on the Mitre effort, to
identify and enumerate all known vulnerabilities such that all entities
referring to such vulnerabilities will, ultimately, refer to the same
issue. Everything beyond that is the realm of other...possibly
related...efforts (CERIAS, VETRANS, etc...)
..."what's in a name, a rose by any other name would still smell as
The CVE is, IMO, merely trying to name the flower, and say it has a
scent. Sweet, not sweet, etc... is not in the purview of the CVE.
Russ - NTBugtraq moderator