[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CD PROPOSAL: SYSCON (Interim Decision 8/24)
>Content Decision: SYSCON (System Administrator Consideration) >------------------------------------------------------------- > >VOTE: REJECT I am always one to agree with practicality, but this is pushing it too far, and it is very narrow-minded. By strict definition academia has for goal the pursuit of pure knowledge, so the statement below about academic research is false -- academic pursuits that have those good results get funding, and rightly so, but that's not the primary goal of academia. This content decision is much too lopsided towards industry and is dangerous as well for the CVE, since it can be used to justify almost anything. Just the fact that someone feels the need to make this into a CD proposal bodes ill. If this CD passes, I will consider resigning from the board, as I fear it will tie my hands (make my opinions and goals irrelevant) and significantly lower the relevance of the CVE to what we do. Indeed, why have academics on the Board if they are a second-class concern? Moreover, if academics are not considered as beneficiaries of the CVE, why do we bother? Pascal > >(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.) > > > >Short Description >----------------- > >All content decisions and individual CVE vulnerabilities must be >considered in light of system administrators and security analysts, >who are the ultimate beneficiaries of the CVE. > > >Rationale >--------- > >Security tools (such as assessment tools and IDSes), vulnerability >databases, and academic research all have an ultimate goal of helping >an enterprise to make itself more secure from attack. Within the >enterprise, system administrators and security analysts are the >individuals who perform the bulk of the work involved in securing >systems - applying patches, conducting assessments, keeping current >with new vulnerabilities, etc. > >One of the goals of the CVE is to facilitate data sharing among >security tools and databases. Therefore, its content decisions and >individual vulnerability entries should consider the impact and usage >to system administrators and security analysts, despite the >expectation that they might not use the CVE directly itself.