CBE -> CVE

SaminaHusain · Nov 22, 2023 · 4ed8f91 · 4ed8f91
1 parent e6be44c
commit 4ed8f91
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/meetings/2023-09/september-26.md b/meetings/2023-09/september-26.md
@@ -177,7 +177,7 @@ SYG: Okay, so concrete question, suppose somebody is reporting, let me try the p
 
 MF: The latter thing. When reports are mistakenly given through this process and they are engine specific, we want them to be redirected either through themselves being redirected when reading this process or if they still send it to us, getting back to them, or going through the security focals making sure it goes to the right place. When it is a language vulnerability, when we have suspicion that it is language vulnerability, which we have not defined what it is, it will be addressed in the group and expanded as necessary to include everybody who needs to be involved.
 
-SYG: In terms of consensus, in asking for consensus, I have no concerns with kind of redirecting to the right project where necessary. I’m not clear on what the actionable thing is when we, for reports in the second bucket that does not fall into any particular projects purview. I guess if the consensus you’re asking for is, you should take that input and then discuss it, I have no concern, but I’m a little bit uncomfortable labeling such things as vulnerabilities if it doesn’t rise to the level of a particular software shipping a fix to do something. Like, if it’s just, we accepted a report, I’m not sure that gives the same messaging as a CBE would.
+SYG: In terms of consensus, in asking for consensus, I have no concerns with kind of redirecting to the right project where necessary. I’m not clear on what the actionable thing is when we, for reports in the second bucket that does not fall into any particular projects purview. I guess if the consensus you’re asking for is, you should take that input and then discuss it, I have no concern, but I’m a little bit uncomfortable labeling such things as vulnerabilities if it doesn’t rise to the level of a particular software shipping a fix to do something. Like, if it’s just, we accepted a report, I’m not sure that gives the same messaging as a CVE would.
 
 MF: In the interim, between setting up this initial policy and actually defining our desired security properties, it is going to be more of an I-know-it-when-I-see-it kind of thing. Later hopefully we will have more well defined security properties and we will be able to clearly determine whether or not it is a violation of any of these security properties we try to hold.