Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

To: cve-editorial-board-list@lists.mitre.org
Subject: Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
From: Tknogeek@aol.com
Date: Mon, 18 Feb 2002 22:50:13 EST
Delivery-Date: Mon Feb 18 22:50:34 2002
Sender: owner-cve-editorial-board-list@lists.mitre.org

Pascal and Steve,
My take on this is a practical one as always. If a vendor chooses to
release something vague, they are openly admitting that they have a
problem that requires patching. The vendor admits that an exposure or
vulnerability exists. While I wish we lived in a world of perfect
information that is not the case. I think CD:VAGUE will help us deal
with that imperfection provided we don't overuse it.

I think it's important to remember that one of the primary uses of CVE is
to help get systems properly secured.   In the cases where a vendor says
"You need to install this patch", I think that warrants a CVE entry...even if it
is a little vague.

If we start assigning VAGUE to unconfirmed items, it could get a
little messy. Maybe we need to specify in the definition that VAGUE
specifically refers to vague VENDOR confirmed reports rather than vague
in general.

I'm sure if we beat this to deal long enough we can come up with a
metric for vagueness too. :-)

Scott

Scott Lawler, CISSP
Veridian

Prev by Date: Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities )
Next by Date: Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
Prev by thread: Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
Next by thread: Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)