再保险(CD): CD建议:SF-LOC(软件缺陷在不同o f代码)

星期四,2000年6月15日,帕斯卡贝写道:比尔Fithen > < wlf@CERT。ORG >写道:> > >真正基本的我看来,脆弱的本质是> >独立的机制(s),可用于改正它。> >可以有很多方法来正确的一个漏洞。事实上,很明显我> >,这种修正的“列表”的对策是一个> >完全独立承担与CVE(也许CCE ?)。> >这引出了一个问题,如果我们必须分析>的本质脆弱性CVE条目,我们还没有走得太远>尊重CVE的既定目标?这是一个很好的观点。我们应该防止创建情况深入分析所需的只是决定一件事是一件或两件事。虽然,我预计会发生的情况我们不能获得足够的信息进行正确分析。那时,我倾向(关于CVE)是赌注,只是说我们没有足够的信息,等到我们所做的。如果我们错了,我们以后改正它。 > >All other things being inconclusive with respect to the split/merge > >question, if we arrive at this rule and the vendor refuses to answer > >the split/merge question, then it seems to me the only conservative > >approach is to split. If we incorrectly split, the only consequence is > >information redundancy. If we incorrectly merge, the consequence is > >information loss. Once we split based on the lack of information, the > >(possibly redundant) entries are marked as 'this is all we know' and > >left that way until we know more. If at some point in the future (even > >after they might be voted into CVE), if someone learns enough to > >"prove" to us they should have been merged, then we merge them. > > I agree with this. Moreover, why not split by default, merge when > 'someone learns enough to "prove" to us they should have been > merged', and save the headache? I like this as a rule of thumb. It has the great virtue of being fast and lightweight. I am strongly in favor of techniques that will let entries quickly into CVE, even when they later turn out to have been suboptimal or even wrong. Pursuing perfection too early may mean the introduction of delays that make the eventual acceptance of an entry less valuable merely because of the delay (I am speaking from an organization with a lot of experience in letting perfection be the enemy of good enough). Bill