[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30
Mike, I totally agree with everything you said! However my question comes from the voting candidate: "A candidate entry may be included in the CVE if all of the following conditions hold: 1) It satisfies either the CVE vulnerability definition or the CVE exposure definition" So I understand and agree - candidates that meet the CVE vulnerbility definition and meet all the criteria may be included in the CVE. I don't understand why exposures that meet the rest of the conditions should end up included in the CVE. It seems like this presents a way for these exposure candidates such as finger, to become members of the class Vulnerabilities, when in fact they should be members of a class Exposures. Hey! We could start the CEE :) S. -----Original Message----- From: Prosser, Mike [mailto:mike.prosser@L-3Security.com] Sent: Thursday, August 26, 1999 1:56 PM To: 'Northcutt, Stephen, CIV, BMDO/DSC'; firstname.lastname@example.org Subject: RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30 I wouldn't think so.....it becomes a matter of your particular security policy. If you need finger running than for you, you accept whatever risk(exposure) is involved in running finger. If you know it exposes you to a certain degree than you tighten up other areas... If you don't need finger on any of your boxes, than as a part of your policies it would not be allowed. My $.02 worth -mike -----Original Message----- From: Northcutt, Stephen, CIV, BMDO/DSC [mailto:Stephen.Northcutt@BMDO.OSD.MIL] Sent: Thursday, August 26, 1999 8:18 AM To: 'Steven M. Christey'; email@example.com Subject: RE: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30 I suppose QUESTION isn't one of the options, but .... I fully agree with the exposure notion. I also do not agree that finger is a vulnerability, it is a program and outside of buffer overflows (which would be vulnerabilities) and what, it does exactly what it was designed to do. Soooo.... if I vote to accept this definition, and we say running finger is an exposure did we just create a back door way to call finger a vulnerability? Inquiring minds truly want to know :) -----Original Message----- From: Steven M. Christey [mailto:coley@LINUS.MITRE.ORG] Sent: Tuesday, August 24, 1999 6:59 PM To: firstname.lastname@example.org Subject: CD MODIFICATION: INCLUSION version 2 - Interim Decision 8/30 Please vote on this modification of the INCLUSION content decision. It has been modified to reflect the modifications suggested by the Board members, and to use the new "exposure" terminology. Dave Mann and I are concerned that the voting - even with a minimum of 3 people - could slow down the process of CVE candidate acceptance to the point where the CVE cannot be timely enough to satisfy most uses for it. The active participation of Board members is critical for this approach to be successful. We should revisit this voting approach in a few months to ensure that it is striking the delicate balance between timeliness and accuracy. - Steve VOTE: (Member may vote ACCEPT, MODIFY, REJECT, or NOOP.) Content Decision: INCLUSION (What to include in the CVE) -------------------------------------------------------- Modified: 08/24/1999 A candidate entry may be included in the CVE if all of the following conditions hold: 1) It satisfies either the CVE vulnerability definition or the CVE exposure definition 2) It does not satisfy any Exception (see other content decisions) 3) At least 50% of active voting members vote on the candidate, and there are more votes for inclusion (ACCEPT/MODIFY) than exclusion (REJECT). An active voter is one who has voted on the particular candidate or voted for some candidate in the previous two weeks (or several times in the previous month), and has not declared themselves to be inactive. 4) Either: - at least 3 non-MITRE members vote for inclusion, *OR* - the candidate entry predates the initial public release of the CVE, and - at least 2 non-MITRE members vote for inclusion, and - either the entry is confirmed by the vendor, or it is tested by at least one well-known security tool (or mentioned in at least one well-known vulnerability database) that is not associated with a Board member who voted for the candidate 5) The Moderator has determined that further discussion of the candidate will not affect the decision with respect to the candidate, *or* it is in the best interests of the CVE to make a decision.