[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Re: Microsoft MCWNDX.OCX ActiveX buffer overflow

To: guninski@guninski.com
Subject: Re: [Full-Disclosure] Re: Microsoft MCWNDX.OCX ActiveX buffer overflow
From: "Steven M. Christey" <coley@mitre.org>
Date: Fri, 15 Aug 2003 17:09:25 -0400 (EDT)

Georgi Guninski said:

>So you are collecting 0days for free, put them in a lame database and
>whine more than a script kiddie this is a hard job?

I don't view it that way.

1) CVE is not a vulnerability database, per the FAQ on the CVE web
   site at http://cve.mitre.org/about/faq.html#A7 (though we are not
   blind to the fact that some people try to use it as a database
   anyways).

   The issues that we deal with in CVE have a bit of overlap with
   database maintainers.

2) In the past I have described the "0-day" aspects of CVE candidate
   number assignment, which includes situations in which CANs are
   assigned without MITRE involvement:

   http://lists.netsys.com/pipermail/full-disclosure/2003-January/003601.html

3) I have spoken in the past of the challenges in maintaining
   vulnerability databases, e.g. at:

   http://lists.netsys.com/pipermail/full-disclosure/2002-July/000186.html

   and in several other cases have commented on accuracy or
   consistency problems in vulnerability reports.


I think of this as sharing information and experiences for those who
may find it useful, as opposed to "whining."


- Steve
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Prev by Date: Re: [Full-Disclosure] east coast powergrid / SCADA [OT?]
Next by Date: RE: [Full-Disclosure] The Grid, Blaster v. Poor Security Engineering
Prev by thread: RE: [Full-Disclosure] Microsoft MCWNDX.OCX ActiveX buffer overflow
Next by thread: [Full-Disclosure] east coast powergrid / SCADA [OT?]
Index(es):
- Date
- Thread