Re: [Full-disclosure] Open Letter on the Interpretation of "Vulnerability Statistics"




*shrug* things change in 2.5 years. The answer is fundamentally the same,
only I've given up being pedantic about the terminology.

Since your criticism of CVE and the vuln DB world has not changed in 2.5
years (and neither has my defense of it), perhaps we should agree to
disagree and be done with it.

On Fri, 6 Jan 2006, Georgi Guninski wrote:

> On Fri, Jan 06, 2006 at 02:53:56PM -0500, Steven M. Christey wrote:
> > According to the definitions proposed by Brian Martin of OSVDB, CVE is in
> > fact a database - HOWEVER it is a highly specialized one intended for
> > correlation and comparison across multiple tools and products. That said,
> > 90% of its consumers do not use it for that reason. The FAQ should
> > probably be rephrased a bit.
> >
>
> hahahahahaha, "a responsibility rfc government funded
> expert" wrote.
>
> http://lists.grok.org.uk/pipermail/full-disclosure/2003-August/008386.html
> >>So you are collecting 0days for free, put them in a lame database and
> >>whine more than a script kiddie this is a hard job?
>
> >I don't view it that way.
> >
> >1) CVE is not a vulnerability database, per the FAQ on the CVE web
> > site at http://cve.mitre.org/about/faq.html#A7 (though we are not
> > blind to the fact that some people try to use it as a database
> > anyways).
>
> --
> where do you want bill gates to go today?
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> junk:
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/