[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)

To : "Steven M. Christey" < coley@linus.mitre.org >
Subject : Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
From : Gene Spafford < spaf@cs.purdue.edu >
Date : Tue, 20 Jul 1999 22:44:36 -0500
Cc : cve-editorial-board-list@lists.mitre.org
In-Reply-To : < 199907210332.XAA10246@basie.mitre.org >
References : < 199907210332.XAA10246@basie.mitre.org >
Reply-To : spaf@cs.purdue.edu

Hmm, interesting.

Suppose we consider a "rule of thumb:"

Any software that functions according to its specification, and whose
correct functioning is within the bounds of a common security policy
(but not necessarily *every* policy) will NOT be considered a
vulnerability for inclusion in the CVE."

Thus, the finger program would not be a vulnerability so long as all
of its functions are correct and known.   We might allow its use in
an academic environment, so it is not a vulnerability.

By that token, I would contend that guessable passwords are not a
vulnerability, either.

Of course, this introduces the question of where do we get complete
specifications and common policies.... :-)

--spaf

References :
- PROPOSAL: Cluster 20 - DESIGN (27 candidates)
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: CONTENT DECISION: Discussion related to DESIGN and NTCONFIG clusters
Next by Date: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Prev by thread: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Next by thread: Re: PROPOSAL: Cluster 20 - DESIGN (27 candidates)
Index(es):
- Date
- Thread

Page Last Updated or Reviewed: May 22, 2007

Site Map | Terms of Use | Privacy Policy | Contact Us | Follow CVE

Use of the CVE^™ List and the associated references from this website are subject to the terms of use . CVE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA). Copyright © 1999–2021, The MITRE Corporation . CVE is a registered trademark and the CVE logo is a trademark of The MITRE Corporation.