[Date Prev][Date Next
][Thread Prev][Thread Next
Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's
- To: "Steven M. Christey" <email@example.com>, firstname.lastname@example.org
- Subject: Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's
- From: Adam Shostack <email@example.com>
- Date: Thu, 1 Jul 1999 11:55:48 -0400
- In-Reply-To: <199906302345.TAA03673@basie.mitre.org>; from Steven M. Christey on Wed, Jun 30, 1999 at 07:45:05PM -0400
- References: <199906302345.TAA03673@basie.mitre.org>
- Reply-To: firstname.lastname@example.org
We have moved to intentionally using a same codebase decision point.
(We used to argue about it a lot internally, and it was in fact the
windows/unix different codebases that led us to this point.) Thus, we
have outlook and netscape mime overflows seperated (and we dont check
the Sun one, lacking a UNIX credentialed checking tool today). We
have asp-dot and win-apache-dot as seperate checks.
PS: We still do argue about the appropriate LOA internally from time
On Wed, Jun 30, 1999 at 07:45:05PM -0400, Steven M. Christey wrote:
| I'd prefer to delay deciding on the Same Attack/Same Codebase
| decisions until I hear from an IDS person.
| Also, I think it would help us all to know which content decision is
| being used by those who have created/maintained vulnerability
| databases. If the CVE is to be a translation mechanism, then what's
| out there "right now" could suggest the appropriate approach, or at
| least break a tie.
| So if you could let us know:
| 1) Whether you have consciously applied a Same Attack or Same Codebase
| content decision in your database (and which)
| 2) How "consistent" you believe your database is with respect to that
| content decision
| 3) If neither was a specific content decision that you made, if you
| believe that your database reflects one or the other
| 4) If your database's content decision is in conflict with what you
| have been advocating for the CVE, what is the nature of that conflict?
| If this survey is productive, I expect to ask it for the other content
| decisions that we discuss.
| - Steve