再保险:[技术]CD:模糊(模糊的供应商的描述漏洞)

亚当Shostack说:>我不确定的存在供应商补丁应该接受>解决这些问题;看到最近的Internet explorer上卷>补丁。注意,横切非常小心假设一个咨询解决特定的问题。CVE改进之道,我引用大量内容团队,问道:“如果有人声称确认和供应商说什么或说谜语,然后问题被解决了吗?”Basically, without clear evidence that the vendor is addressing a specific issue, we don't add it as a reference to a candidate/entry that it might be addressing. Depending on how circumstantial the evidence, we may create a separate item for it and note the possible duplication in the analysis section, or I might cast a REVIEWING vote on the possible duplicate candidate and note the vague reference. A great example of this is the classic phrase "fixed security bug," which you find scattered throughout change logs from a variety of open and closed source, commercial and freeware vendors. Without at least a closely-correlated date and some credits to the person who announced the problem to Bugtraq, we normally don't call this sufficient acknowledgement, and the "vendor acknowledgement" data field has an "unknown vague" value in it, which is available to voters. There are about 15 candidates whose acknowledgement is "unknown vague," but there are about 100 candidates whose acknowledgement is "unknown discloser-claimed" - where the person announcing the problem says that the vendor fixed the issue and/or provided a patch, but there's no clear public acknowledgement from the vendor. - Steve