|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] CD PROPOSAL: CATSPEC (Interim Decision 8/24)
Please vote on this pervasive content decision using the space provided below. This content decision is scheduled for Interim Decision on August 24. - Steve Content Decision: CATSPEC (Category-Specific Content Decisions) --------------------------------------------------------------- VOTE: (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.) Short Description ----------------- A vulnerability's category determines what content decisions are applied to it. Rationale --------- In general, software flaws are concrete, well-understood entities that have been studied closely, thus it is easier to specify how to discriminate between software flaws. Service/application presence problems are also concrete, since the name of the service suffices for discrimination. However, configuration problems are poorly understood and have no well-defined language to describe them. Thus content decisions related to configuration problems cannot be effectively described. The category of the vulnerability (as recorded in CMEX) allows an interested observer to understand which content decisions have been applied to the vulnerability, which thus affect the level of abstraction, inclusion in the CVE, etc. In cases where a vulnerability may have multiple categories, content decisions are applied in the following order: 1) Pervasive 2) Exclusions 3) Software Flaw 4) Configuration Problem 5) Service/Application Presence If the existing content decisions are not sufficient for discriminating between vulnerabilities that the Editorial Board believes should be distinguished, then those content decisions need to be refined, or new ones added.
|
||||
