[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's


  • To: "Steven M. Christey" <coley@linus.mitre.org>, cve-review@linus.mitre.org
  • Subject: Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's
  • From: Adam Shostack <adam@netect.com>
  • Date: Thu, 1 Jul 1999 11:55:48 -0400
  • In-Reply-To: <199906302345.TAA03673@basie.mitre.org>; from Steven M. Christey on Wed, Jun 30, 1999 at 07:45:05PM -0400
  • References: <199906302345.TAA03673@basie.mitre.org>
  • Reply-To: adam@netect.com

We have moved to intentionally using a same codebase decision point.
(We used to argue about it a lot internally, and it was in fact the
windows/unix different codebases that led us to this point.)  Thus, we
have outlook and netscape mime overflows seperated (and we dont check
the Sun one, lacking a UNIX credentialed checking tool today).  We
have asp-dot and win-apache-dot as seperate checks.

Adam

PS: We still do argue about the appropriate LOA internally from time
to time.

On Wed, Jun 30, 1999 at 07:45:05PM -0400, Steven M. Christey wrote:
| 
| All:
| 
| I'd prefer to delay deciding on the Same Attack/Same Codebase
| decisions until I hear from an IDS person.
| 
| Also, I think it would help us all to know which content decision is
| being used by those who have created/maintained vulnerability
| databases.  If the CVE is to be a translation mechanism, then what's
| out there "right now" could suggest the appropriate approach, or at
| least break a tie.
| 
| So if you could let us know:
| 
| 1) Whether you have consciously applied a Same Attack or Same Codebase
| content decision in your database (and which)
| 
| 2) How "consistent" you believe your database is with respect to that
| content decision
| 
| 3) If neither was a specific content decision that you made, if you
| believe that your database reflects one or the other
| 
| 4) If your database's content decision is in conflict with what you
| have been advocating for the CVE, what is the nature of that conflict?
| 
| If this survey is productive, I expect to ask it for the other content
| decisions that we discuss.
| 
| 
| Thanks,
| - Steve

 
Page Last Updated: May 22, 2007