Re: Candidate numbering scheme discussion - summary so far

[Bill Hill <bill@mitre.org>]

"Steven M. Christey" wrote:

<SNIP>
> In my
> opinion, a CVE number should only be assigned to a well-understood
> vulnerability.  The CVE "label" should imply stable information.
> Candidates by their nature will be largely unstable.  

I very much agree.

> If we allow the OS/application vendors to
> assign their own CVE number, we run a further risk of diluting the
> quality of the CVE number - because they might not understand content
> decisions as well as board members, and make a mistake which forces
> the CVE number to be unaccepted, split or merged, etc.  

This is almost a certainty; it is unknown whether even the core CVE
group will be able to maintain a common understanding/agreement on
levels of abstraction, differentiation, etc.  It is highly doubtful that
more casual participants will have that same understanding/agreement.

> 
> I think we should stay with the CAN approach.  And even if it doesn't
> work as expected, I believe it would be easier for us to go from the
> CAN approach to something like Adam suggested, than to do it the other
> way around.

Yes.

Bill

-- 
----------------------------------------------------------------------
William Hill                                            V:703-883-6416
INFOSEC Engineer                                        F:703-883-1397
The MITRE Corporation                                   bill@mitre.org
1820 Dolley Madison Blvd.  M/S W422                     whhill@acm.org
McLean, VA  22102-3481