Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 07 Mar 2016 11:28:48 +0000
From: Simon Ward <simon+oss-sec@...ah.co.uk>
To: oss-security@...ts.openwall.com,Adam Caudill <adam@...mcaudill.com>
CC: cve-editorial-board-list <cve-editorial-board-list@...ts.mitre.org>
Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies

On 5 March 2016 20:25:49 GMT+00:00, Adam Caudill <adam@...mcaudill.com> wrote:
>Here is what I would like to see:
>
>* Simple ID Request - Data required should be minimal, though I think
>a few basic items are needed. Perhaps vendor, product, version(s),
>title, and contact information. Optionally, the requestor should be
>able to provide their GPG public key, a detailed description,
>reference URL(s), etc. The ID should then be instantly issued, and
>given a status of assigned.

While I like the idea of being able to trivially get a global identifier for a vulnerability I find those with no information,. i.e. Unknown attack vector and impacts, useless. There's no good way to prioritise these: if you assume the worst case you get drowned in a sea of vulnerabilities you have to investigate.

Simon
-- 
Sent from Kaiten Mail. Please excuse my brevity.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ