Survey: Use of Same Attack/Same Codebase content decision in VDB's
I'd prefer to delay deciding on the Same Attack/Same Codebase
decisions until I hear from an IDS person.
Also, I think it would help us all to know which content decision is
being used by those who have created/maintained vulnerability
databases. If the CVE is to be a translation mechanism, then what's
out there "right now" could suggest the appropriate approach, or at
least break a tie.
So if you could let us know:
1) Whether you have consciously applied a Same Attack or Same Codebase
content decision in your database (and which)
2) How "consistent" you believe your database is with respect to that
3) If neither was a specific content decision that you made, if you
believe that your database reflects one or the other
4) If your database's content decision is in conflict with what you
have been advocating for the CVE, what is the nature of that conflict?
If this survey is productive, I expect to ask it for the other content
decisions that we discuss.