[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE ID Syntax Vote - results and next steps
On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote: : Not sure if you just wish to be confrontational or just not looking at : realities. I am aiming for a discussion so that we don't keep hitting this voting stalemate. Further, I could ask if you are trying to be a troll with some of your comments. : We have exceeded 10,000 vulnerabilities as a community. If Please educate us. Which VDBs have documented 10,000 vulnerabilities in a given year exactly. Then show us which ones I am the content manager of. That's right. I run the only public VDB that has broken 10k that I am aware of, and that was in 2006. Since then, we have not hit 10k again but we are working toward it with our historical backfill effort. Now, do you want to discuss who is being confrontational and/or who is trolling here? Again, I state as absolute fact, which is not confrontational, that historically, we have not hit 10,000 CVEs. : CVE did not wish to report them all that does not change the situation. It absolutely does. If CVE says "we aren't going to report on all vulnerabilities", it speaks to the allocation pool required. If current guidelines suggest they only monitor X sources, which is a Y percent of total disclosed vulnerabilities as documented across all VDBs, it gives us a good idea if 1MIL or 10MIL is ever going to be breached by current or realistic future policy. : So what you are arguing about is a single digit? Really? By extending : it a 'single' digit you can most likely get the votes to pass it. A : single digit? Actually I am arguing against 'B' more than I am arguing for 'A'. Don't make assumptions. I am against the mixed format of 'B' where the padding of zeros applies to the first 9999 entries, and no more. I want a standard format. If that is 'A' and 6, 7, or 18 digits, or if that is 'B' and no padding at all, I don't much care. I see the standard digits as easier to work with and it helps ensure the identifier is correct in length. : As for being selfish? you are sadly mistaken. This is a real cost to : the entire community, All vendors and organizations that use CVE : internally, they too will have to go through the same QA. This is not That is factually incorrect too. This has absolutely NO cost to a large part of the community, unless you are selfishly describing the community as "vendors that have technical implementations of the CVE system", of which I am a part of on two fronts: my day job, and OSVDB. This impacts me more than it impacts you in some ways. : selfish, this is a reflection of the costs that ALL in the community are : going to have to deal with. We want CVE adoption to be universal. I am See above. You have delusions on what the "community" entails here I think. You think Joe Researcher with 4 disclosures a year, that is currently asking for a CVE has any cost associated with it? No. Yes, there is a real cost to some members of the community. Yes, you are in a position to bear a LOT more cost than 99% of the community. Thus, my assertion that your choice may be biased and selfish. That may be a bit confrontational, but it is also rooted in logic. : My opinion is more than clear. I am hoping we will hear from others as : well. We know where you stand as well. Except, you don't. You made assumptions that I outline and clarify above. Now that I tell you that 'A' or 'B' don't matter, as long as it is standard, does that change any of your arguments? I've already established that you are factually incorrect about two things.