[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200212060308.WAA09074@linus.mitre.org>
From: coley at linus.mitre.org (Steven M. Christey)
Subject: Re: [Poor-Disclosure]
The core problem we face in CVE is inaccurate and incomplete
information. Indeed, in some cases we have had to codify what to do
when there is insufficient information. We regularly notice important
inconsistencies between different vulnerability reports - assuming, of
course, we can even be certain they are talking about the same
vulnerability. The highest quality information I see comes from
coordination between the researcher and the vendor, with independent
and well-written advisories from both parties to give different
perspectives of the same problem. Of course, there are many reasons
why this does not always happen.
A most interesting commentary throughout.
- Steve
Powered by blists - more mailing lists