Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)

To: <cve-editorial-board-list@lists.mitre.org>
Subject: Do you agree? RE: [TECH] CD:VAGUE (Vague Vendor Descriptions of Vulnerabilities)
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Wed, 20 Feb 2002 22:04:24 -0500
Delivery-Date: Wed Feb 20 22:08:08 2002
In-Reply-To: <CF8198D865C1CE42A63C431B42B4D2577A0FBC@RED-MSG-10.redmond.corp.microsoft. com>
References: <CF8198D865C1CE42A63C431B42B4D2577A0FBC@RED-MSG-10.redmond.corp.microsoft. com>
Sender: owner-cve-editorial-board-list@lists.mitre.org

At 1:55 PM -0800 2/19/02, David LeBlanc wrote:
>
>Ah, but we're not very careful to make sure that a problem actually
>_exists_ before assigning a CAN to it.  There's noise on both ends of the
>process. So we should complain about vendors not supplying you with test
>exploits and extremely detailed information, but not complain about
>vague, poorly written and unreproducible vuln reports that end up in the
>CVE? If we're going to start griping about vagueness, let's gripe about
>all the vagueness problems, not just some of them.

Agreed.  I think that low quality CANs made for lack of better information should carry a warning or disclaimer.  It doesn't matter if the information comes from the vendor or a discoverer, if there are grounds to suspect it to be dubious.  I am willing to let the disclaimer be put at the discretion of the CVE content team.  Anyone else agrees to that?

Cheers,
Pascal
--
Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist,
CERIAS
Purdue University

Prev by Date: [TECH] "Responsible Disclosure Process" released
Next by Date: [TECH] CD:VAGUE and its effect on 46 candidates
Prev by thread: [TECH] "Responsible Disclosure Process" released
Next by thread: [TECH] CD:VAGUE and its effect on 46 candidates
Index(es):
- Date
- Thread