Should Debian ask for a CPE when a CVE in Debian is found?

To: "debian-security@lists.debian.org" <debian-security@lists.debian.org>, "cpe_dictionary@nist.gov" <cpe_dictionary@nist.gov>
Cc: Kate Stewart <kstewart@linuxfoundation.org>, "David A. Wheeler" <dwheeler@dwheeler.com>, "Khakimov, Samir \"Sam\"" <skhakimo@ida.org>, Holger Levsen <holger@layer-acht.org>
Subject: Should Debian ask for a CPE when a CVE in Debian is found?
From: "Wheeler, David A" <dwheeler@ida.org>
Date: Fri, 12 Feb 2016 10:51:13 -0500
Message-id: <[🔎] 9F8E44BC27E22046B84EC1B9364C66A1B31E3FC9F1@EXCH07-4850.ida.org>

Should Debian's security team ask for a Common Platform Enumeration (CPE) id when a related CVE is found/reported fixed?

CPEs are used to by some systems to identify software (including, optionally, specific version numbers of software).  Some security scanning automated tools use CPEs for identification.  More info on requesting CPEs here: 
https://nvd.nist.gov/cpe.cfm

I thought I'd raise the idea.  Thanks!

--- David A. Wheeler

Attachment: signature.asc
Description: signature.asc

Reply to:

Follow-Ups:
- RE: Should Debian ask for a CPE when a CVE in Debian is found?
  - From: "Booth, Harold" <harold.booth@nist.gov>
- Re: Should Debian ask for a CPE when a CVE in Debian is found?
  - From: Paul Wise <pabs@debian.org>

Prev by Date: Re: [sipgate Operationsteam] Betreff: [SECURITY] [DSA 3386-2] unzip regression update
Next by Date: RE: Should Debian ask for a CPE when a CVE in Debian is found?
Previous by thread: Re: [sipgate Operationsteam] Betreff: [SECURITY] [DSA 3386-2] unzip regression update
Next by thread: RE: Should Debian ask for a CPE when a CVE in Debian is found?
Index(es):
- Date
- Thread