回复：CVE编号

好的，亚当的观点实际上只是我们“同意”使用10,000作为开始数字，而他实际上根据此理解将数字分配给了一些项目。这个数字 *是 *无关紧要的。确实，我们使用的任何编号系统都没有优势或缺点，因为我们希望我们努力远离Cerias VDB试图用CVE列举的名称/数字来避免使用的深入分析数据。重要的是，我们有一种发行“价值”，它是唯一的，并让供应商采用的方法是参考价值。除此之外，从“价值”中得出的任何其他含义只是肤浅的，并且受到查看数据的人们的特殊偏爱（哦，它的数字13，这一定是一个非常大的问题！）。我们不应该花大量时间在枚举“价值”上。我敢肯定，亚当宁愿不更改他已经理解为解决的问题，但最终，这确实无关紧要。IMO，不应尝试按时间顺序排列这些项目。>从Miter的角度来看，甚至不希望正确地归因于发现或首先宣布漏洞。这会陷入责任问题，或者至少是因为不归因于某人的可能性。 If anything, quoting sources of information that were used to derive the info that makes an item worthy of a CVE entry makes the most sense. This isn't done to attribute, but to justify its "acceptance" and provide clarification. I think my last discussions with Steve et al indicated that even this may not be done...which is fine by me. We should remember to stay tightly focused on the Mitre effort, to identify and enumerate all known vulnerabilities such that all entities referring to such vulnerabilities will, ultimately, refer to the same issue. Everything beyond that is the realm of other...possibly related...efforts (CERIAS, VETRANS, etc...) ..."what's in a name, a rose by any other name would still smell as sweet"...;-] The CVE is, IMO, merely trying to name the flower, and say it has a scent. Sweet, not sweet, etc... is not in the purview of the CVE. Cheers, Russ - NTBugtraq moderator