[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

At 1:55 PM -0800 2/19/02, David LeBlanc wrote:
>Ah, but we're not very careful to make sure that a problem actually
>_exists_ before assigning a CAN to it.  There's noise on both ends of the
>process. So we should complain about vendors not supplying you with test
>exploits and extremely detailed information, but not complain about
>vague, poorly written and unreproducible vuln reports that end up in the
>CVE? If we're going to start griping about vagueness, let's gripe about
>all the vagueness problems, not just some of them.

Agreed.  I think that low quality CANs made for lack of better information should carry a warning or disclaimer.  It doesn't matter if the information comes from the vendor or a discoverer, if there are grounds to suspect it to be dubious.  I am willing to let the disclaimer be put at the discretion of the CVE content team.  Anyone else agrees to that?

Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist,
Purdue University

Page Last Updated: May 22, 2007