初始候选方案及验收程序

:下面是一个过程定义为提出和讨论候选人。这个过程是适应开放编辑委员会,我们沿着和测试,但在利益的* *,我将按照这个方法开始。0),而戴夫·曼,我采取了“沉默意味着同意”的方法,我认为是很重要的,每个人都为这部分的CVE说话验证。很难知道如果有人静静地阅读和同意,或如果他们度假的地方。所以请说出来!1)目前,我将是唯一候选人编号权威(CNA),所以我唯一一个可以提出候选人。这将改变当我们接近释放,也许当我们讨论“未知”候选人集群和/或引进新的漏洞。(见另一个邮件讨论候选人的集群)。2)我将提出每个集群在一个单独的电子邮件。集群中的每个候选人将包括:考号,申请人身份证(仅为001对我来说,现在)——指定日期(即日期候选人“保留”使用),日期(日期的候选人的名字是公开)宣布-类别参考(s) -描述候选人数量将相当于CVE编号(199904290013版),即可以- 1999 - 00345一样的CVE - 00345在你的CVE分布。 3) Each member of the Editorial Board should respond to each candidate. The following responses are valid: (a) REVIEWING - member is reviewing/researching the candidate. (b) ACCEPT - member approves the vulnerability as proposed. (c) NO OPINION - member specifically avoids commenting on this vulnerability. May be useful e.g. if member is not an expert for that particular type of vulnerability. NO OPINION's are strongly discouraged. (d) REJECT - member rejects the candidate entirely, because: - it is not a vulnerability (i.e. was reported as a problem but turned out not to be) - it is unconfirmed (or not sufficiently confirmed) - it is not a *CVE vulnerability*, i.e. does not fit the CVE vulnerability definition - it is a duplicate - it subsumes a CVE vulnerability (i.e. it's too high level and encompasses existing vulnerabilities) - it is subsumed by a CVE vulnerability (i.e. it's an instance of an existing CVE vulnerability) (e) MODIFY - vulnerability is generally acceptable, but some details may be missing or wrong, e.g.: - description needs slight modification - references incorrect - category incorrect (f) RECAST - there needs to be a better term than this. The member does not believe the candidate as proposed should go into the CVE without being heavily modified, e.g.: - change level of abstraction of the candidate (merge/split with others) 4) Every so often (to be determined), I will pose a "summary" of candidates that appear to be close to resolution. I will also develop a clean way to announce when a final decision has been made. 5) As we get closer to release date, and as vendors/others begin to identify gaps between the CVE and their own vulnerability databases, then we will open the process to include other CNA's besides me.