What to do about CVE numbers
What to do about CVE numbers
Posted Oct 5, 2019 6:34 UTC (Sat) by tlamp (subscriber, #108540)Parent article: What to do about CVE numbers
E.g., Spectre, Meltdown, ..., where not introduced by a single change - I mean maybe the one adding support for the respective vulnerable hardware, but that can't hardly count?
But agree very much on the statement that CVE are overused and have seldom any value now.
Posted Oct 7, 2019 7:22 UTC (Mon)
by nim-nim (subscriber, #34454)
[Link] (2 responses)
S* happens, and software has bugs. So you *will* get CVEs. If your software suppliers are unable to report the CVEs fixed in each delivery, they are *lying* (or incompetent suppliers that should be replaced). If they *are* reporting the fixed CVEs, you get a direct measure of the whole software supply bugfixing velocity (so if unit A is still fixing years old CVes while unit B is fixing last week’s CVEs, you know which one has a problem).
I’m not sure if people realize how much that helps cutting the crap and avoiding kilometers of powerpoint obfuscation.
Posted Oct 7, 2019 13:50 UTC (Mon)
by imMute (guest, #96323)
[Link] (1 responses)
I'm not sure I do... Age [of a CVE] is not the only indicator of priority. Maybe Unit A has fixed all the "critical" CVEs and are now working their way through the "probably not even exploitable" CVEs from years ago.
Posted Oct 8, 2019 8:00 UTC (Tue)
by nim-nim (subscriber, #34454)
[Link]
What to do about CVE numbers
What to do about CVE numbers
What to do about CVE numbers