RE: Sources: Full and Partial Coverage
>email@example.com] On Behalf Of Adam Shostack
>I'm not sure which of these approaches would work best. Are there
>other non-product-cetric issues that folks have encountered? Perhaps
>with more samples, we can find a category.
It bears reiterating that there are (at least) 2 dimensions to this problem:
+ What is important to cover
+ How do we describe what we will and won't cover
An analogy that I find useful (some on the CVE team strongly object to this one) is the role of jurisdictions within law enforcement. Throwing a dart at the US map arbitrarily, the California State Police might have their criteria for how they select criminals they will put on their "10 Most-Wanted" list.
But, these criteria are very different from the state boundaries that define their operational jurisdictions.
We are moving into a time in which we must accept that CVE can no longer aspire to provide ID coverage for the global software market.
Our interest in identifying the sources that we'll provide full and partial coverage is primarily driven out of our need to define our "jurisdictional boundaries" if you will. It's a way for us to begin the dialog of how to coordinate with other id issuing capabilities and to manage the expectations of those who rely on CVE ids.
Compared to law enforcement, vulnerability information coordination is pretty immature -- it's that millennia versus decades thing. Our attempts to define our operational boundaries are going to be crude, clumsy and inexact for some time to come. And just as the police don't patrol all streets equally, we know that we'll need to prioritize among the sources in our coverage boundary and we'll need to exercise on-going judgment as to which issues we provide ids for and which ones we let go by (as we've been doing for a very long time now).
David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:firstname.lastname@example.org | cell:781.424.6003