再保险:[CVEPRI]处理由史蒂夫Christey发现新的漏洞

即使对于大多数人来说,相信史蒂夫不是一个问题,我把他的消息,这意味着他是担心一些东西可能会有所保留。我一直在努力做一个合作漏洞数据库可通过web (OpenBSD, SSL,专用服务器没有其他服务)。它提供了一个时间戳提交过程——等效功能发布哈希亚当建议。的优势是,它使用Krsul大部分的分类器和提交(应该)提供了一个分析脆弱性(QA,提交被拒绝或接受n评论者,n = 3的原型)。这些信息可以用于后续的CVE委员会投票。处于危险的境地,有可能为董事会投票并接受弱点,而供应商正在修复。结果将是一个并发版本补丁和CVE条目。我不知道如果人们愿意给CVE板供应商一样的好处,例如,预先通知?我可以复制这个系统专门用于CVE委员会(注意,这不是目的,目的,和代替不了优秀的投票页面,横切,目的是提供额外的信息)。这是有用的? Pascal At 8:10 PM -0400 9/20/00, Steven M. Christey wrote: >All: > >I recently discovered some new vulnerabilities in some software. I >have been working with the software vendor to ensure that a fix is >made available before I publicize it to the usual places. I also plan >to include candidate numbers in my initial announcement. > >Due to the increased analysis going on behind the scenes for CVE >candidates, as well as some other non-CVE work I'm involved in with >respect to developing source code analysis tools, it is likely that I >or another member of the CVE content team will discover more >vulnerabilities in the future. > >There are some potential areas in which there may be a real or >perceived conflict of interest that I wanted to review with Board >members. Your feedback is appreciated, and you can reply directly to >me if you wish to make private comments. > >1) I am somewhat concerned that if I disclose these vulnerabilities, > then it may discourage others from requesting CVE candidate numbers > from me in the future. Some people may fear that if they provide > me with details when requesting a candidate, that I could turn > around and announce it, then claim that I was the discoverer. This > is a concern because we will be opening candidate reservation > (formerly called private candidate assignment) up to more people in > the coming months. > > I assume that Board members would not have this problem of trusting > me :-) However, candidate reservation will be available to anyone > who asks, including individuals who may not trust me. If such an > event were to theoretically happen, it would be my word against > theirs. > > A mitigating factor in this is that I would expect to personally > notify and work with vendors on all newly discovered > vulnerabilities, in which case the vendor could be a neutral third > party. In addition, those who request candidate numbers do not > necessarily need to provide me with any details. > >2) Diligence Level 1 for CVE candidate reservation allows the > assignment of 1 CVE candidate number to an unknown party. (See >http://cve.mitre.org/board/archives/2000-05/msg00179.html)。自从>我过去没有announcced任何漏洞,在>感觉我是一个未知的聚会,和我的勤奋程度是1。>但我发现的情况下,2单独的漏洞>将披露。建立在勤奋级别2,然而,>我需要至少3宣布新的安全>问题。> >一个异常应该为“可信的人没有>宣布3新的安全漏洞”(假设我信任;-)>或我应该被迫只使用一个候选人吗?有人>关心勤奋的水平呢?> > 3)不管我如何获得一个考号公告之前,>候选人将通过编辑>董事会审查过程的其余部分和其他候选人,和其他人一样受到>投票要求。> >让我知道你的想法。我相信供应商将在几天内准备好修复>。> > >感谢——史蒂夫