再保险:[CVEPRI]处理由史蒂夫Christey发现新的漏洞

爱丽丝发现漏洞,想告诉鲍勃,但认为鲍勃可能偷它。作为一个不好的,我看到一个简单的解决方案。爱丽丝把她的描述问题,散列,将散列结果发布在一个广泛的存档论坛。(我建议Bugtraq或NTbugtraq,如果版主愿意让这些通过。)如果Bob骗子,爱丽丝发布包含描述的文件,任何人都可以看到,这句话她当她发表的散列。现在,这并不能解决的问题Alice和Bob发现同样的事情在同一时间,但它保证了爱丽丝能证明她在一些早期的时间的信息。亚当在结婚,2000年9月20日,在-0400年08:10:45PM, Steven m . Christey写道:|:| |我最近发现一些新的漏洞在一些软件。我|与软件供应商合作,确保修复|可用之前我通常的地方宣传它。我也计划|数字在我最初的声明包括候选人。| |由于增加了CVE |分析幕后的候选人,以及一些其他non-CVE工作我参与|开发源代码分析工具,很可能我|或CVE内容的另一个成员的团队将来会发现更多的|漏洞。 | | There are some potential areas in which there may be a real or | perceived conflict of interest that I wanted to review with Board | members. Your feedback is appreciated, and you can reply directly to | me if you wish to make private comments. | | 1) I am somewhat concerned that if I disclose these vulnerabilities, | then it may discourage others from requesting CVE candidate numbers | from me in the future. Some people may fear that if they provide | me with details when requesting a candidate, that I could turn | around and announce it, then claim that I was the discoverer. This | is a concern because we will be opening candidate reservation | (formerly called private candidate assignment) up to more people in | the coming months. | | I assume that Board members would not have this problem of trusting | me :-) However, candidate reservation will be available to anyone | who asks, including individuals who may not trust me. If such an | event were to theoretically happen, it would be my word against | theirs. | | A mitigating factor in this is that I would expect to personally | notify and work with vendors on all newly discovered | vulnerabilities, in which case the vendor could be a neutral third | party. In addition, those who request candidate numbers do not | necessarily need to provide me with any details. | | 2) Diligence Level 1 for CVE candidate reservation allows the | assignment of 1 CVE candidate number to an unknown party. (See |http://cve.mitre.org/board/archives/2000-05/msg00179.html)。自|我没有announcced任何漏洞在过去,在那|感觉我是一个未知的聚会,和我的勤奋程度是1。然而,|我的发现,2单独的漏洞|将披露。建立在勤奋级别2,然而,|我需要至少3宣布新的安全|问题。| |一个异常应该为“可信的人没有| 3宣布新的安全漏洞”(假设我信任;-)|或者我应该被迫只使用一个候选人吗?有人|关心勤奋水平呢?| | 3)不管我如何获得一个考号公告之前,|候选人将通过编辑|董事会审查过程的其余部分和其他候选人,和其他人一样受到|投票要求。| |我知道你的想法。我相信供应商将有修复|在几天。| | |谢谢——史蒂夫-“这是很少,任何形式的自由失去了。” -Hume