Re: CVE ID Syntax Vote - results and next steps

[security curmudgeon <jericho@attrition.org>]

On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:

: So what types of things could POTENTIALLY impact CVE in the future? All listed below are potentials only?
: 
:   1.  Increased CNAs in the existing US speaking countries

This will no doubt happen. I am also going to start a campaign to yank CNA 
status from some vendors who are not following established procedure 
though.

:   2.  Potential global expansion with other geo-regions using CVE (global CNAs)

This has potential to significantly increase CVEs, and we would break 10k 
quickly. I don't see it breaking 1MIL by any current standard or policy, 
even if every single country had 10 CNAs.

:   3.  Automated vulnerability identification means.

See previous arguments. I don't consider this valid, despite it being my 
primary argument of "how to reach 1mil vulns in a year".

:   4.  Expansion to other evolving technologies such as tablet, mobile, etc.

Uh... have you been watching CVE assignments the last few years? Those are 
already in the fold. This should be reworked to a significant jump in 
Android applications being analyzed for low hanging fruit, which has the 
potential to spike it well past 10k, but not into the 1MIL+ mark.

: The CVE format cannot be decided based on the landscape today.  There 

Then why are we deciding on a new format, based on the landscape today?