I agree that we do have a gap issue with the 170k but those are mostly covered under the current INC guidance. The fact that they are not issued CVEs is a different issue than the INC rules.
Your auto updates issue is an example of where we have not kept up though.
Pondering "judgement" too. One person's judgement is sometimes different than another so, as you suggest, appropriate guidelines are helpful. There is a balance in going just deep enough and not too deep and getting stuck in paralysis-by-analysis though.
Well just because you have guidelines and precedence doesn't mean you have to spend a lot of time on them =). Much like the real world we do have a CVE court of appeals with a supreme court (MITRE) which means no matter how bad a mistake we make, we can probably rectify it.
Thank you,
Thank you,
Kurt, my read on your logic below is that we should reconsider or expand on "attacker triggered" - it is much more about a general potential and likelihood. I too agree that if the likelihood is based on wall clock or some finite exhaustion of resource it is not chance but an inevitability occurrence. I think your argument is that attack triggered is too narrow? If so I agree.
So CVE famously covers "bugs that cross a trust boundary" and to a lesser extent are "attacker triggered" and then a famous "and CVE is actionable, you can do something about it" (fix it, compensating control, etc.). Yes I know about INC1-4 as well, but I'm speaking more generally.