再保险:[技术]候选人编号

史蒂夫,我阅读的建议,看来理性和合理的。几个问题:> > -它必须只>指定候选人安全问题,如果一个候选人公开分配,和报告之后发现是虚假的或重复的、有义务在CNA占“丢失的号码吗?”Or can it just be sent to /dev/null? > ---------------------------------- > Communications from CNA's to MITRE > ---------------------------------- > > The following types of communication occur from CNA's to MITRE: > > - request a pool of candidate numbers Must numbers within the pool be handed out sequentially? Will the pool necessarily be contiguous? One of the things we are mildly concerned with is leaking information about who (particularly vendors) knew what when as regards a vulnerability. We don't want to put vendors in the position of having to defend why one patch came out after another even though the problems were reported in the other order. > - suspected researcher abuses Although we can report a "faulty" number, we can't report on individuals' intentions if they wish to remain anonymous. Does this imply a requirement to disclose researcher identities for those who wish to remain anonymous? > - they should not publish CVE candidate numbers in a manner which > might provide them with any economic or political advantage over > their competitors > "might provide...any" is a little broad. We sometimes disclose information to sponsors and collaborators privately under NDA before public dissemination, and we support that practice in general. It seems reasonable to me that a candidate number could be part of that private disclosure. Would such disclosure be prohibited? > --------------- > Vendor Liaisons > --------------- > > A vendor liaison works with CNA's to obtain or verify CVE candidates > in the liaison's own products. The liaison is not an Editorial Board > member, nor is it a CNA, as it may not have the need or capability to > satisfy the CNA requirements. I don't understand the role of vendor liaisons. Could you elaborate, and perhaps provide an example? > - obtain candidates for a vulnerability report from only one CNA > > - obtain the candidate from the vendor, if the vendor is a CNA What about when the vulnerability affects multiple vendors? Would any of the vendor CNAs be appropriate? > - publish through known reliable channels (vendor or response team), > or known public channels with peer review (Bugtraq or NTBugtraq) I assume the parenthetical clauses are just examples, right? A paper at Crypto would be just fine, wouldn't it? Or do you mean to require the availability of this information freely on the web? Thanks, Shawn