Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

To: "Steven M. Christey" <coley@linus.mitre.org>
Subject: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
From: Gene Spafford <spaf@cs.purdue.edu>
Date: Tue, 20 Jul 1999 22:44:36 -0500
Cc: cve-editorial-board-list@lists.mitre.org
In-Reply-To: <199907210332.XAA10246@basie.mitre.org>
References: <199907210332.XAA10246@basie.mitre.org>
Reply-To: spaf@cs.purdue.edu

Hmm, interesting.

Suppose we consider a "rule of thumb:"

Any software that functions according to its specification, and whose 
correct functioning is within the bounds of a common security policy 
(but not necessarily *every* policy) will NOT be considered a 
vulnerability for inclusion in the CVE."

Thus, the finger program would not be a vulnerability so long as all 
of its functions are correct and known.   We might allow its use in 
an academic environment, so it is not a vulnerability.

By that token, I would contend that guessable passwords are not a 
vulnerability, either.

Of course, this introduces the question of where do we get complete 
specifications and common policies.... :-)

--spaf

References:
- PROPOSAL: Cluster 20 - DESIGN (27 candidates)
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: CONTENT DECISION: Discussion related to DESIGN and NTCONFIG clusters
Next by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Prev by thread: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Index(es):
- Date
- Thread

Page Last Updated or Reviewed: May 22, 2007

Use of the CVE® List and the associated references from this website are subject to the terms of use. CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2024, The MITRE Corporation. CVE and the CVE logo are registered trademarks of The MITRE Corporation.