[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
Re: [CVEPRI] March 9-10 Editorial Board Meeting Summary
Gene must have been eavesdropping on our meeting. We also considered things
like ICQ, which is in permanent beta. We basically agreed that mere beta
status is not a reason to exclude things from the CVE. The main criteria for
inclusion would include length of life and wideness of availability. This
does not mean we have to include every security bug in every short-lived
"true" beta.
Hope this clears things up.
Andy
----- Original Message -----
From: Gene Spafford <spaf@CERIAS.PURDUE.EDU>
To: Pascal Meunier <pmeunier@PURDUE.EDU>
Cc: <cve-editorial-board-list@lists.mitre.org>
Sent: Tuesday, March 14, 2000 8:50 AM
Subject: Re: [CVEPRI] March 9-10 Editorial Board Meeting Summary
> At 09:09 AM 3/14/00 , Pascal Meunier wrote:
> >>The Board also reviewed CD:EX-BETA. Attendees agreed that CVE should
> >>include problems in beta software, provided that the beta code was
> >>intended for public dissemination.
> >
> >I missed that part. I would like to know why people think that bugs
> >in admittedly buggy, pre-release, short-lived software run by a few
> >people (on hopefully sandboxed or somehow protected or unimportant
> >systems) should be of concern to the CVE.
>
> Unfortunately, the definition of "beta" that you used is not the one used
> by most vendors any more (except the buggy part). Most vendors now
> release traditionally-alpha code onto the net or in other widespread
> release and lots of people adopt it. Mozilla and Windows 2000 are
examples
> of long-lived, widesprad releases of "beta" code.
>
> --spaf
>