[ Date Prev ][ Date Next ][ Thread Prev ][ Thread Next ][ Date Index ][ Thread Index ]

RE: Counting on CVEs

To : Russ Cooper < Russ.Cooper@rc.on.ca >
Subject : RE: Counting on CVEs
From : security curmudgeon < jericho@attrition.org >
Date : Thu, 8 Mar 2012 02:31:03 -0600
CC : " cve-editorial-board-list@lists.mitre.org "< cve-editorial-board-list@LISTS.MITRE.ORG >
Delivery-Date : Thu Mar 8 03:32:16 2012
In-Reply-To : < A27B80707A1E924891446594C00EBA8C52B245E2@Sunfish.rc.on.ca >
List-Help : < mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST >
List-Owner : < mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG >
List-Subscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG >
List-Unsubscribe : < mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG >
References : < CB7CD170.2DC8A%kent_landfield@mcafee.com > < ED311CBEE6993C428563DEDF6D083BC81180FBF7@usilms113b.ca.com > < A27B80707A1E924891446594C00EBA8C52B245E2@Sunfish.rc.on.ca >
Sender : < owner-cve-editorial-board-list@LISTS.MITRE.ORG >
User-Agent : Alpine 2.00 (LNX 1167 2008-08-23)

: ?In the beginning??we talked about needing 1 CVE number to represent
: integer overflow, or another for insufficient parsing?clearly that never
: stuck. But equally, it would seem that some vendors would like to assign
: a CVE per ?threat?, which should also have never stuck.

There is CWE for that: http://cwe.mitre.org/

: I?m unaware of > 10,000 new vulnerabilities per year, at least not in
: what I would consider ?new vulnerabilities?. That?s one heck of a lot of
: lines of code, but if you?re counting vulnerabilities in Android Apps,
: then I could also see that number be incredibly low. So perhaps the
: issues aren?t with vulnerabilities, but instead with exposures??

OSVDB has 10,895 entries for 2006. Note, that OSVDB abstracts very
differently than CVE or any other VDB currently, so I would guess we're
the only ones who have hit that mark.

There is additional discussion on CVE handling the #### issue on the
CERT-run vrdx mail list.

Follow-Ups :
- Re: Counting on CVEs
  - From: Art Manion <amanion@cert.org>

References :
- Counting on CVEs
  - From: <Kent_Landfield@McAfee.com>
- RE: Counting on CVEs
  - From: "Williams, James K" <James.Williams@ca.com>
- RE: Counting on CVEs
  - From: Russ Cooper <Russ.Cooper@rc.on.ca>

Prev by Date: RE: Counting on CVEs
Next by Date: Re: Counting on CVEs
Prev by thread: RE: Counting on CVEs
Next by thread: Re: Counting on CVEs
Index(es):
- Date
- Thread