回复：候选编号方案

我认为Russ提倡的编号方案有一些风险（即CVE数字基于候选人号码），尽管我认识到它确实解决了当前方法的某些局限性。首先，我担心在CVE名称本身内包含ID，在某些情况下可能会滥用，或者至少被误解了。候选漏洞的 *提议者 *不一定是该漏洞的发现者。“局外人”可能会混淆差异并做出无效的假设。也有间接鼓励“竞争”的风险，看看谁可以提出最受欢迎的候选人。一个简单的CVE-NNN会消除这种关注点。我也同意戴夫（Dave）对数字变得“令人难忘”的担忧。虽然每个人当然都知道“蓝精灵”，但它可能几乎被CVE-00513等名称而闻名。根据我在CVE的较早发展的经验，某些数字成为我众所周知的。我认为有第三个问题是最重要的。 Multiple candidates will be proposed that wind up being part of the same CVE vulnerability (let's say they are duplicates, or they're both subsumed by them), or split into multiple CVE vulnerabilities. There won't be a one-to-one relationship between the candidate number and the CVE number, so the CAN- portion will be different than the CVE- portion. This would require a "lookup" capability to go from the candidate number to the real associated number. I.e., we would *still* have to maintain a mapping from candidate numbers to the CVE numbers. None of these problems is significant if the candidate number is never really public, and only for use within the Input Forum. They might be relatively minor compared with some of the benefits, e.g. "early tracking" of new vulnerability information, and allowing Input Forum members (e.g. vendors) to use candidate numbers in advisories that they post for new vulnerabilities. The question is: how important is it to the members of this group that we should have such "external candidate numbers"? Russ' perspective is clear since he is concerned with numbering vulnerabilities as early as possible, and I believe Andre would agree since he expressed concerns with getting numbers for advisories for new vulnerabilities. A second question is: assuming we have external candidate numbers, do they *have* to be the same as the CVE number? To reduce confusion, sure, but there won't always be a one-to-one relationship as I indicated earlier. I think that such a radical change to the CVE name requires a decision before release. Any commitments we make to a numbering scheme will have to be adhered to once the CVE is public. - Steve