CONTENT DECISION: High-level content decisions for CF problems

["Steven M. Christey" <coley@linus.mitre.org>]

Below are some content decisions that permeate much of the CVE with
respect to configuration problems.  I arrived at decisions like these
after several false starts and near-taxonomy experiences.  I
acknowledge that there may be some small overlap across these content
decisions.  To ensure consistency across the CVE, the order in which
these content decisions are applied should always be the same.


1) Different Functionality, Different Configuration Problem
  - if the problem occurs in an application, OS, or device that
    is fundamentally and functionally different than the app/OS/device
    related to another problem, then they are different
  - implications:
    - separate problems for hosts vs. routers/firewalls
    - separate problems for Unix vs. NT
    - separate problems for services like POP, TFTP, SMB, database

2) Leveraged vs. Assigned Access
   - if a configuration problem directly allows someone to gain
     additional access (Leveraged), separate it from a problem that
     simply gives the access that has been specified (Assigned)
   - example:
     - exporting / or C: can be Leveraged; exporting /cdrom or
       D:GUEST-SHARES cannot (in general)

3) Different Risk, Same Configuration Problem
   - do not distinguish between risk if the configuration problem is
     otherwise the same
   - exception: Leveraged vs. Assigned access
   - example:
     - root null password and guest null password are equivalent
     - password file and boot script are equivalent

4) Same Checkbox, Same Vulnerability
   - if two options appear on the same checkbox or are different
     records in the same database, then they are equivalent
   - example: password entries in a password file, read/write/delete
     file access permissions