Re: CVE ID Syntax Vote - results and next steps

To: <Kent_Landfield@McAfee.com>
Subject: Re: CVE ID Syntax Vote - results and next steps
From: security curmudgeon <jericho@attrition.org>
Date: Thu, 18 Apr 2013 11:43:47 -0500
CC: <cve-editorial-board-list@LISTS.MITRE.ORG>
Delivery-Date: Thu Apr 18 12:45:55 2013
In-Reply-To: <3CBA099FBA0AB843895D72474092B8CF1E8E42@MIVEXAMER1N1.corp.nai.org>
List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
References: <3CBA099FBA0AB843895D72474092B8CF1E8E42@MIVEXAMER1N1.corp.nai.org>
Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
User-Agent: Alpine 2.00 (LNX 1167 2008-08-23)

On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:

: Thank you for the comment as I think it is spot on.  I too think a more 
: expanded Option A is an reasonable alternative. I have stated before 
: McAfee felt that 6 digits was just too short for the future proofing and 
: if extended to 7 or more we may have changed our vote.  I see problems 
: with option B but future proofing was really the driving factor for our 
: decision. I'd like to second Harold's request to reconsider Option A 
: length.

Could McAfee, or anyone who voted for 'B' due to the 'future proofing' 
concern please address the repeated comments about how that is absurd?

In case you missed it in Steve Christey's CVE vote email:

   It should be noted that the team feels that any circumstance(s) that 
   would require the issuance of (on average) over 2,700 CVE IDs per day 
   (999,999 IDs per year) would reflect a fundamental change in the 
   meaning and usage of CVE IDs.  Put another way, the "CVE" that requires 
   the issuance of over 2,700 IDs would not be the CVE of today.

As Carsten Eiram from RBS noted:

   1) A purely theoretical explosion in vulnerability reports and coverage
   (keeping in mind that MITRE currently has trouble keeping up with the
   existing trend and don't guarantee all vulnerabilities will be assigned
   CVEs). A change from 8K-10K vulnerabilities reported per year to > 1
   million is simply unrealistic. Even if someone starts auditing a ton of
   projects with automated code scanning tools and without any manual
   follow-up analysis just dumps the results on some mailing list, we 
   would be hard-pressed to exhaust 6 digits. We would be discussing 
   resource problems long before hitting those numbers, as neither CVE nor 
   any CVE processors will be able to keep up with such a load.

So I politely request that anyone voting against 'A' and cited this 
concern please discuss it first. I can't understand how this is a real 
concern, especially in conjunction with several companies that basically 
said "option B is much easier on our current system, we will have to 
change less" which seems exceedingly selfish, and not in the interest of 
the community so much as the interest of your specific company.

Thank you,

Brian

Follow-Ups:
- Re: CVE ID Syntax Vote - results and next steps
  - From: <Kent_Landfield@McAfee.com>
- Re: CVE ID Syntax Vote - results and next steps
  - From: Art Manion <amanion@cert.org>

References:
- Re: CVE ID Syntax Vote - results and next steps
  - From: <Kent_Landfield@mcafee.com>

Prev by Date: Re: CVE ID Syntax Vote - results and next steps
Next by Date: Re: CVE ID Syntax Vote - results and next steps
Prev by thread: Re: CVE ID Syntax Vote - results and next steps
Next by thread: Re: CVE ID Syntax Vote - results and next steps
Index(es):
- Date
- Thread