|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Candidate numbering scheme discussion - summary so far
"Steven M. Christey" wrote: <SNIP> > In my > opinion, a CVE number should only be assigned to a well-understood > vulnerability. The CVE "label" should imply stable information. > Candidates by their nature will be largely unstable. I very much agree. > If we allow the OS/application vendors to > assign their own CVE number, we run a further risk of diluting the > quality of the CVE number - because they might not understand content > decisions as well as board members, and make a mistake which forces > the CVE number to be unaccepted, split or merged, etc. This is almost a certainty; it is unknown whether even the core CVE group will be able to maintain a common understanding/agreement on levels of abstraction, differentiation, etc. It is highly doubtful that more casual participants will have that same understanding/agreement. > > I think we should stay with the CAN approach. And even if it doesn't > work as expected, I believe it would be easier for us to go from the > CAN approach to something like Adam suggested, than to do it the other > way around. Yes. Bill -- ---------------------------------------------------------------------- William Hill V:703-883-6416 INFOSEC Engineer F:703-883-1397 The MITRE Corporation bill@mitre.org 1820 Dolley Madison Blvd. M/S W422 whhill@acm.org McLean, VA 22102-3481
|
||||
