|
|
Actually, the only thing I find to devolve this discussion is your comment. Kent and Brian are creating a much needed (perhaps spirited) discussion. As I see it, they are being direct and challenging each other (one part a bit more than the other), which is good for a change. Personally, I think the discussion stands the best chance to sway opinion to help us avoid another deadlock vote, which is what we need.I do not intend for this to come across as rude, but for someone who hasn't really contributed to any dialogue for a very long time, I think it's a shame that your one contribution now is to attack the "tone" of the discussion./CarstenOn Thu, Apr 18, 2013 at 11:20 PM, Alfred Huger <ahuger@sourcefire.com> wrote:
This is seriously devolving. Can we possibly drop the temperature a bit and discuss this civilly?alOn 18 April 2013 15:04, security curmudgeon <jericho@attrition.org> wrote:On Thu, 18 Apr 2013, Kent_Landfield@McAfee.com wrote:: Not sure if you just wish to be confrontational or just not looking at
: realities.
I am aiming for a discussion so that we don't keep hitting this voting
stalemate. Further, I could ask if you are trying to be a troll with some
of your comments.
Please educate us. Which VDBs have documented 10,000 vulnerabilities in a
: We have exceeded 10,000 vulnerabilities as a community. If
given year exactly. Then show us which ones I am the content manager of.
That's right. I run the only public VDB that has broken 10k that I am
aware of, and that was in 2006. Since then, we have not hit 10k again but
we are working toward it with our historical backfill effort.
Now, do you want to discuss who is being confrontational and/or who is
trolling here? Again, I state as absolute fact, which is not
confrontational, that historically, we have not hit 10,000 CVEs.
It absolutely does. If CVE says "we aren't going to report on all
: CVE did not wish to report them all that does not change the situation.
vulnerabilities", it speaks to the allocation pool required. If current
guidelines suggest they only monitor X sources, which is a Y percent of
total disclosed vulnerabilities as documented across all VDBs, it gives us
a good idea if 1MIL or 10MIL is ever going to be breached by current or
realistic future policy.
: single digit?
: So what you are arguing about is a single digit? Really? By extending
: it a 'single' digit you can most likely get the votes to pass it. A
Actually I am arguing against 'B' more than I am arguing for 'A'. Don't
make assumptions.
I am against the mixed format of 'B' where the padding of zeros applies to
the first 9999 entries, and no more. I want a standard format. If that is
'A' and 6, 7, or 18 digits, or if that is 'B' and no padding at all, I
don't much care. I see the standard digits as easier to work with and it
helps ensure the identifier is correct in length.
: As for being selfish? you are sadly mistaken. This is a real cost to
: the entire community, All vendors and organizations that use CVEThat is factually incorrect too. This has absolutely NO cost to a large
: internally, they too will have to go through the same QA. This is not
part of the community, unless you are selfishly describing the community
as "vendors that have technical implementations of the CVE system", of
which I am a part of on two fronts: my day job, and OSVDB. This impacts me
more than it impacts you in some ways.
See above. You have delusions on what the "community" entails here I
: selfish, this is a reflection of the costs that ALL in the community are
: going to have to deal with. We want CVE adoption to be universal. I am
think. You think Joe Researcher with 4 disclosures a year, that is
currently asking for a CVE has any cost associated with it? No.
Yes, there is a real cost to some members of the community. Yes, you are
in a position to bear a LOT more cost than 99% of the community. Thus, my
assertion that your choice may be biased and selfish. That may be a bit
confrontational, but it is also rooted in logic.
: My opinion is more than clear. I am hoping we will hear from others as
: well. We know where you stand as well.Except, you don't. You made assumptions that I outline and clarify above.
Now that I tell you that 'A' or 'B' don't matter, as long as it is
standard, does that change any of your arguments? I've already established
that you are factually incorrect about two things.