In the past the CVE rational was the year was embedded so you knew when the vuln was from. That made sense in 1999, less now, but it is still a helpful aspect of "at a glance" you can see scan results for example and see how out of date you are (e.g. if you see GSD's from more than a year ago...).
Another advantage of the YEAR as a number is that we can make changes to the ID part itself, e.g. right now we use an integer but maybe some year we switch to hex/sha512/etc. at some point.
The other aspect is that all the tooling expects a year and a number, so changing that breaks all the tooling.
And there's no significant downside to putting the YEAR in, one note: CVE uses yEAR as "when this was known to be a vulnerability" which can be problematic (e.g. what if you find an old posting? do you bother reissuing it?), the DWF simply uses the YEAR as when the id was assigned, very simple.
------------------------------
Kurt Seifried
Chief Blockchain Officer and Director of Special Projects
Cloud Security Alliance
kseifried@cloudsecurityalliance.org------------------------------
Original Message:
Sent: Jan 31, 2022 10:04:47 AM
From: Bill Hughes
Subject: GSD Numbering Format
Hi Everyone
I have been looking for a document that outlines the rationale for the GSD numbering.
From the demo, I see the GSD number format appears to be GSD-yyyy-xxxxx
which is similar to the CVE numbering.
If there isn't a document that outlines the rationale, is someone able to tell me why the year is embedded in the number? I recognize that it is similar to the CVE numbering but other than that, is there a reason for embedding the year rather than simply incrementing the number?
Thanks!
Bill
------------------------------
Bill Hughes
Weehooey Inc.
------------------------------