Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <56E1DB21.3050206@cert.org>
Date: Thu, 10 Mar 2016 15:37:53 -0500
From: Art Manion <amanion@...t.org>
To: oss-security@...ts.openwall.com
Subject: Re: Concerns about CVE coverage shrinking - direct
 impact to researchers/companies

On 2016-03-05 15:53, Solar Designer wrote:
> ... or on any third-party doing it.  I expect that various existing
> vulnerability databases will start listing OVE IDs along with other IDs
> they're currently listing.  Whatever IDs are available for an issue.
> 
> Of course, the information will need to be available to those
> third-party databases from somewhere - but this can be the researcher's
> or the vendor's disclosure, as you say.  Until such disclosure, a
> customer would not even be aware of the ID, let alone want to look it up.

There is a group called VRDX-SIG:

  https://www.first.org/global/sigs/vrdx

An approach we are taking is to develop a simple cross-reference
protocol, such that any vulnerability ID can be related to any other
(e.g., equivalent-to, superset, subset, similar-to, not-equivalent).
This approach was chosen intentionally to avoid creating yet another
CVE-like system, but to support the expected fracturing of vulnerability
ID systems.

 - Art

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.