Date: Thu, 10 Mar 2016 15:37:53 -0500 From: Art Manion <amanion@...t.org> To: oss-security@...ts.openwall.com Subject: Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies On 2016-03-05 15:53, Solar Designer wrote: > ... or on any third-party doing it. I expect that various existing > vulnerability databases will start listing OVE IDs along with other IDs > they're currently listing. Whatever IDs are available for an issue. > > Of course, the information will need to be available to those > third-party databases from somewhere - but this can be the researcher's > or the vendor's disclosure, as you say. Until such disclosure, a > customer would not even be aware of the ID, let alone want to look it up. There is a group called VRDX-SIG: https://www.first.org/global/sigs/vrdx An approach we are taking is to develop a simple cross-reference protocol, such that any vulnerability ID can be related to any other (e.g., equivalent-to, superset, subset, similar-to, not-equivalent). This approach was chosen intentionally to avoid creating yet another CVE-like system, but to support the expected fracturing of vulnerability ID systems. - Art
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.