[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Open Letter on the Interpretation of "Vulnerability Statistics"
- To: Georgi Guninski <guninski@xxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] Open Letter on the Interpretation of "Vulnerability Statistics"
- From: Florian Weimer <fw@xxxxxxxxxxxxx>
- Date: Sat, 07 Jan 2006 16:13:06 +0100
* Georgi Guninski:
>> RVI sources collect unstructured vulnerability information from Raw
>> Sources.
>
> read: parasites cut and paste from people who can do things.
A service which assigns a primary key shared by multiple databases is
quite helpful. Of course, you can dismiss this whole vulnerability
tracking/patching thing as completely pointless, and I wouldn't even
disagree with you. 8-)
>> - LACK OF COMPLETE CROSS-REFERENCING BETWEEN RVI SOURCES.
>
> read: coley does not like it that there is no officially recognized
> usa funded database (NOT a dictionary) to rule em all and manipulate
> statistics.
Uhm, CVE itself adds cross-references to other databases, even to a
non-US one, so I don't think this is a valid criticism.
Unlike PKI or DNS, vulnerability naming does not need to be universal
to be useful. It does not suffer from the Highlander problem.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/