[VIM] "context-dependent" and "user-assisted" terminology in CVE

security curmudgeon jericho at attrition.org
Wed Mar 20 17:45:34 CDT 2013

On Wed, 20 Mar 2013, Christey, Steven M. wrote:

: Prompted by a Twitter conversation with Jericho a little while ago, here 
: is how CVE uses certain terms in our descriptions.  We try to be 
: consistent in this usage, although there can be exceptions.
: It would be nice to get some alignment with OSVDB, especially because 
: OSVDB seems to use "context-dependent" in a different way than CVE.

We use C/D generically as a blanket term for both, but actually have a 
technical mechanism to distinguish them. Unfortunately, we're not very 
good at using it.

Our classification supports C/D and Remote/Local.

: Physically Proximate
: -------------------------
: Person must have physical access to the device or environment in
: order to exploit the vulnerability.  Examples: touching a workstation
: keyboard or USB device; "shoulder surfing" to see a workstation's

We've been doing this for a long time with our Physical classification, 
and typically use "physically proximate" in our description where 

More information about the VIM mailing list