Re: Survey: Use of Same Attack/Same Codebase content decision in VDB's

[Adam Shostack <adam@netect.com>]

We have moved to intentionally using a same codebase decision point.
(We used to argue about it a lot internally, and it was in fact the
windows/unix different codebases that led us to this point.)  Thus, we
have outlook and netscape mime overflows seperated (and we dont check
the Sun one, lacking a UNIX credentialed checking tool today).  We
have asp-dot and win-apache-dot as seperate checks.

Adam

PS: We still do argue about the appropriate LOA internally from time
to time.

On Wed, Jun 30, 1999 at 07:45:05PM -0400, Steven M. Christey wrote:
| 
| All:
| 
| I'd prefer to delay deciding on the Same Attack/Same Codebase
| decisions until I hear from an IDS person.
| 
| Also, I think it would help us all to know which content decision is
| being used by those who have created/maintained vulnerability
| databases.  If the CVE is to be a translation mechanism, then what's
| out there "right now" could suggest the appropriate approach, or at
| least break a tie.
| 
| So if you could let us know:
| 
| 1) Whether you have consciously applied a Same Attack or Same Codebase
| content decision in your database (and which)
| 
| 2) How "consistent" you believe your database is with respect to that
| content decision
| 
| 3) If neither was a specific content decision that you made, if you
| believe that your database reflects one or the other
| 
| 4) If your database's content decision is in conflict with what you
| have been advocating for the CVE, what is the nature of that conflict?
| 
| If this survey is productive, I expect to ask it for the other content
| decisions that we discuss.
| 
| 
| Thanks,
| - Steve