|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CNA Rules Announcement
- To: Pascal Meunier <pmeunier@cerias.purdue.edu>
- Subject: Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Date: Sat, 8 Oct 2016 23:46:01 -0500
- Authentication-results: spf=none (sender IP is 129.83.29.2) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=attrition.org;mitre.org; dkim=none (message not signed) header.d=none;
- Cc: Chandan Nandakumaraiah <cbn@juniper.net>, cve-cna-list <cve-cna-list@LISTS.MITRE.ORG>, cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- Delivery-date: Mon Oct 10 08:02:31 2016
- Importance: high
- In-reply-to: <c3b9d42f-a07f-c00c-48ff-45218bdbf1dc@cerias.purdue.edu>
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- References: <MWHPR09MB1485225620B9A4E94B589A85A1C60@MWHPR09MB1485.namprd09.prod.outlook.com> <alpine.LNX.2.00.1610071348180.22653@forced.attrition.org> <21d6a5ec-f1ab-cc13-d159-4fef3991bbca@juniper.net> <alpine.LNX.2.00.1610071921490.22653@forced.attrition.org> <c3b9d42f-a07f-c00c-48ff-45218bdbf1dc@cerias.purdue.edu>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 6cdb8bfc89744bd8bfee511e3e65aa05
- Spamdiagnosticoutput: 1:2
- User-agent: Alpine 2.00 (LNX 1167 2008-08-23)
On Sat, 8 Oct 2016, Pascal Meunier wrote: : I think that problem belongs to scanner vendors or the NVD, who should : worry about which vendors exactly are affected, which software versions, That is why the industry is in horrible shape. NVD doesn't even try to keep up with vendors impacted to that degree. I'm sure if they tried, they would ask for a lot more money to do so. : and which advisories apply to which, and which to report in the scanner : findings. It reminds me of Steve's mantra, "the CVE is not a : vulnerability database". Based on that mantra and your argumentation : being based on what a full-service vulnerability database can or should : do ideally, I believe the CVE should not be distorted for it. Besides, I had long debates with Christey over his mantra for many years, which I think is absurd personally. While we appreciate each other's arguments, the fact is almost every major security vendor that relies on vulnerability information uses CVE, and treats it like a VDB. More telling, is that every commercial VDB out there shares a common "#1 competition", and it isn't each other at all. CVE/NVD are the reason companies opt not to pay for better vulnerability intelligence. So use whatever term you want, it is completely irrelevant as far as the practical use as seen in the wild today. : I bet most scanners would report *all* such CVEs if they could not : determine the vendor, and count them as individual findings against the Nessus certainly wouldn't. Brian
- References:
- CNA Rules Announcement
- From: "Coffin, Chris" <ccoffin@mitre.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: jericho <jericho@attrition.org>
- Re: CNA Rules Announcement
- From: Pascal Meunier <pmeunier@cerias.purdue.edu>
- CNA Rules Announcement
- Prev by Date: Re: CNA Rules Announcement
- Next by Date: Re: CNA Rules Announcement
- Previous by thread: Re: CNA Rules Announcement
- Next by thread: Re: CNA Rules Announcement
- Index(es):