RE: [TECH] High-level candidates for recent SNMP problems

[Shawn Hernan <svh@cert.org>]

> IMHO, I'd put the 2 CANs you've got through and call it a day. You've
> got better things to do with your time than try and sort all this out.

As a pragmatic matter, I'm inclined to agree, though I have a tremendous 
intellectual curiosity. 

Although we knew this would be an issue at publication time, we were
simply unable to spend resources on trying to figure out the mess prior to
publication, so we split it up along the broadest lines we could -- traps
and requests. At one point, we split it up into 4 groups similar to the
way OUSPG structured the tests, but we soon ran into tremendous resource
problems just trying to explain the distinction to the various
stakeholders, and very quickly reverted to 2. But most of our public
communication happened under just one number (VU#617947) (which wasn't
either of the VU#s we eventually associated publicly with the vuls).

If these vuls hadn't been discovered effectively simultaneously, but 
instead had been discovered individually over the next 3 years, we would 
certainly be looking at more than 1000, I think. 

I don't rightly know how you would even identify "code bases" here. 

Shawn