| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: coley at mitre.org (Steven M. Christey) Subject: Re: Microsoft MCWNDX.OCX ActiveX buffer overflow Georgi Guninski said: >So you are collecting 0days for free, put them in a lame database and >whine more than a script kiddie this is a hard job? I don't view it that way. 1) CVE is not a vulnerability database, per the FAQ on the CVE web site at http://cve.mitre.org/about/faq.html#A7 (though we are not blind to the fact that some people try to use it as a database anyways). The issues that we deal with in CVE have a bit of overlap with database maintainers. 2) In the past I have described the "0-day" aspects of CVE candidate number assignment, which includes situations in which CANs are assigned without MITRE involvement: http://lists.netsys.com/pipermail/full-disclosure/2003-January/003601.html 3) I have spoken in the past of the challenges in maintaining vulnerability databases, e.g. at: http://lists.netsys.com/pipermail/full-disclosure/2002-July/000186.html and in several other cases have commented on accuracy or consistency problems in vulnerability reports. I think of this as sharing information and experiences for those who may find it useful, as opposed to "whining." - Steve
Powered by blists - more mailing lists