[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Announcement

On Sat, 8 Oct 2016, Pascal Meunier wrote:

: I think that problem belongs to scanner vendors or the NVD, who 
: worry about which vendors exactly are affected, which software 

That is why the industry is in horrible shape. NVD doesn't even try to 
keep up with vendors impacted to that degree. I'm sure if they tried, 
would ask for a lot more money to do so.

: and which advisories apply to which, and which to report in the 
: findings.  It reminds me of Steve's mantra, "the CVE is not a 
: vulnerability database". Based on that mantra and your argumentation 
: being based on what a full-service vulnerability database can or 
: do ideally, I believe the CVE should not be distorted for it.  

I had long debates with Christey over his mantra for many years, which 
think is absurd personally. While we appreciate each other's arguments, 
the fact is almost every major security vendor that relies on 
vulnerability information uses CVE, and treats it like a VDB. More 
telling, is that every commercial VDB out there shares a common "#1 
competition", and it isn't each other at all. CVE/NVD are the reason 
companies opt not to pay for better vulnerability intelligence. So use 
whatever term you want, it is completely irrelevant as far as the 
practical use as seen in the wild today.

: I bet most scanners would report *all* such CVEs if they could not 
: determine the vendor, and count them as individual findings against 

Nessus certainly wouldn't.


Page Last Updated or Reviewed: October 10, 2016