The core problem we face in CVE is inaccurate and incomplete information. Indeed, in some cases we have had to codify what to do when there is insufficient information. We regularly notice important inconsistencies between different vulnerability reports - assuming, of course, we can even be certain they are talking about the same vulnerability. The highest quality information I see comes from coordination between the researcher and the vendor, with independent and well-written advisories from both parties to give different perspectives of the same problem. Of course, there are many reasons why this does not always happen.
A most interesting commentary throughout. - Steve _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
