RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30
I suppose QUESTION isn't one of the options, but ....
I fully agree with the exposure notion. I also do not agree that finger is
a vulnerability, it is a program and outside of buffer overflows (which
would be vulnerabilities) and what, it does exactly what it was designed to
do. Soooo.... if I vote to accept this definition, and we say running
finger is an exposure did we just create a back door way to call finger a
vulnerability? Inquiring minds truly want to know :)
From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG]
Sent: Tuesday, August 24, 1999 6:59 PM
Subject: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30
Please vote on this modification of the INCLUSION content decision.
It has been modified to reflect the modifications suggested by the
Board members, and to use the new "exposure" terminology.
Dave Mann and I are concerned that the voting - even with a minimum of
3 people - could slow down the process of CVE candidate acceptance to
the point where the CVE cannot be timely enough to satisfy most uses
for it. The active participation of Board members is critical for
this approach to be successful. We should revisit this voting
approach in a few months to ensure that it is striking the delicate
balance between timeliness and accuracy.
(Member may vote ACCEPT, MODIFY, REJECT, or NOOP.)
Content Decision: INCLUSION (What to include in the CVE)
A candidate entry may be included in the CVE if all of the following
1) It satisfies either the CVE vulnerability definition or the CVE
2) It does not satisfy any Exception (see other content decisions)
3) At least 50% of active voting members vote on the candidate, and
there are more votes for inclusion (ACCEPT/MODIFY) than exclusion
(REJECT). An active voter is one who has voted on the particular
candidate or voted for some candidate in the previous two weeks (or
several times in the previous month), and has not declared themselves
to be inactive.
- at least 3 non-MITRE members vote for inclusion, *OR*
- the candidate entry predates the initial public release
of the CVE, and
- at least 2 non-MITRE members vote for inclusion, and
- either the entry is confirmed by the vendor, or it is tested by
at least one well-known security tool (or mentioned in at least
one well-known vulnerability database) that is not associated
with a Board member who voted for the candidate
5) The Moderator has determined that further discussion of the
candidate will not affect the decision with respect to the candidate,
*or* it is in the best interests of the CVE to make a decision.