Hi Everyone, I hosted a CWE discussion within Red Hat today and had the following questions asked ... which I don't have answers to. I'm hoping someone else here on the board can point me in the right direction.
How does random sampling work for CWE statistics? Why are CNA's held accountable for old data (CVE's from 2000) within new audit reports? Are CNA's expected to constantly go back and update old data every time new CWE data becomes available? Chaining seems to also throw the statistics off. If a CNA only assigns one ID and NVD lists two, then this counts against the CNA. Vice versa also applies. IMHO this doesn't seem to make sense. Thanks! -- Jeremy West Red Hat Product Security Red Hat Massachusetts <https://www.redhat.com> 314 Littleton Rd [email protected] M: 9192686967 IM: hobbit <https://red.ht/sig>
