[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Simplified Draft Counting Paper for CVE Editorial Board Review

The "incomplete fix == another CVE" mode of operation makes sense to me as the code base has changed, and presumably also the mistakes and assumptions made also changed, which is interesting academically and from a teaching perspective. The repeated attempts to fix something are interesting to me, and using different CVEs makes that easier to follow and examine. I believe this is fine and helpful. Additional coverage and linkage would be more the province of databases based on the CVE, or the CWE.


On 03/30/2016 08:09 PM, Kurt Seifried wrote:
One thing to keep in mind I think is that at a high level CVE stands for
"Common Vulnerabilities and Exposures", so obviously it's used to track
vulns, but on the other side CVE is also heavily used to track 
be it software updates, workarounds, compensating controls, whatever. A
good example of this is the search results:


I'm not sure we need to cover it much beyond the "incomplete fix == 
CVE", thoughts/comments?

Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: July 12, 2016