[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CD PROPOSAL: CATSPEC (Interim Decision 8/24)



Vote: None at this time

I don't understand this one.  Is there a concrete scheme for which content
decisions apply to which categories?  If so, I missed it, and we might want
to include the text inline here.

"Steven M. Christey" wrote:
> 
> Please vote on this pervasive content decision using the space
> provided below.  This content decision is scheduled for Interim
> Decision on August 24.
> 
> - Steve
> 
> Content Decision: CATSPEC (Category-Specific Content Decisions)
> ---------------------------------------------------------------
> 
> VOTE:
> 
> (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
> 
> Short Description
> -----------------
> 
> A vulnerability's category determines what content decisions are
> applied to it.
> 
> Rationale
> ---------
> 
> In general, software flaws are concrete, well-understood entities that
> have been studied closely, thus it is easier to specify how to
> discriminate between software flaws.  Service/application presence
> problems are also concrete, since the name of the service suffices for
> discrimination.  However, configuration problems are poorly understood
> and have no well-defined language to describe them.  Thus content
> decisions related to configuration problems cannot be effectively
> described.
> 
> The category of the vulnerability (as recorded in CMEX) allows an
> interested observer to understand which content decisions have been
> applied to the vulnerability, which thus affect the level of
> abstraction, inclusion in the CVE, etc.
> 
> In cases where a vulnerability may have multiple categories, content
> decisions are applied in the following order:
> 
> 1) Pervasive
> 2) Exclusions
> 3) Software Flaw
> 4) Configuration Problem
> 5) Service/Application Presence
> 
> If the existing content decisions are not sufficient for
> discriminating between vulnerabilities that the Editorial Board
> believes should be distinguished, then those content decisions need to
> be refined, or new ones added.

-- 
Stuart Staniford-Chen --- President --- Silicon Defense
                   stuart@silicondefense.com
(707) 822-4588                     (707) 826-7571 (FAX)

 
Page Last Updated: May 22, 2007