[VIM] "context-dependent" and "user-assisted" terminology in CVE
security curmudgeon
jericho at attrition.org
Wed Mar 20 17:45:34 CDT 2013
On Wed, 20 Mar 2013, Christey, Steven M. wrote:
: Prompted by a Twitter conversation with Jericho a little while ago, here
: is how CVE uses certain terms in our descriptions. We try to be
: consistent in this usage, although there can be exceptions.
:
: It would be nice to get some alignment with OSVDB, especially because
: OSVDB seems to use "context-dependent" in a different way than CVE.
We use C/D generically as a blanket term for both, but actually have a
technical mechanism to distinguish them. Unfortunately, we're not very
good at using it.
Our classification supports C/D and Remote/Local.
: Physically Proximate
: -------------------------
:
: Person must have physical access to the device or environment in
: order to exploit the vulnerability. Examples: touching a workstation
: keyboard or USB device; "shoulder surfing" to see a workstation's
We've been doing this for a long time with our Physical classification,
and typically use "physically proximate" in our description where
appropriate.
More information about the VIM
mailing list