[VIM] Flagging unreliable researchers?

Steven M. Christey coley at mitre.org
Tue Jan 17 16:00:31 EST 2006


Maybe this is a somewhat emotional reaction, but I'm getting
frustrated with having to make so many corrections to existing CVEs
based on poor researcher practices, the lemoon issue being the latest.
I haven't done this yet, but I am considering creating a "watch list"
of unreliable researchers, and automatically labeling any CVE found by
that researcher as unreliable.

Any thoughts on this practice?  I don't want to antagonize researchers
or otherwise create a climate in which people are afraid to release
things, but neither should vendors have to waste their time and energy
dealing with erroneous claims.  Obviously we refined vuln info sources
have a role in this too, but I don't think we can (or should) entirely
move away from the very small disclosure-to-refined-notification
window that we have these days (to arbitrarily coin a term).

- Steve


More information about the VIM mailing list