再保险(CVEPRI):越来越多的候选人和及时性

41点-0400 5/2/02,Steven m . Christey写道:>莫尼耶帕斯卡说:> > >引用都不错,但CVE的主要目标是给一些> >因此问题可以讨论的一个问题。> >直到最近这个话题搬到“多快可以>讨论的问题。”CVEwas originally intended to deal with tools, which >have a much longer development cycle than vulnerability databases and >notification services. Then I've been under the wrong impression for several years, since the workshop on research with *vulnerability databases* where the CVE was first discussed. Timeliness was not an issue as long as you were dealing with legacy candidates (>6 months old). Now it is, and when discussing NIST's CVE recommendation you agreed with the statement that to consider "CVE as a timely and comprehensive service seems like a reasonable expectation". Moreover, you have a chicken-egg problem with regards to reserved candidates. People will reserve candidates only if the CVE is perceived as a timely point of reference and having a CVE number in initial references is desirable. If the CVE is to be something that identifies soldiers after the battle has long been over and when counting the dead, it's not nearly as useful as I was hoping it would be. Which is it going to be? (with apologies to Steve and the CVE content team who are working very hard already -- I sound ungrateful for their Herculean work, but I need to have this cleared out, and I need to know what I can reasonably expect from the CVE. I also wanted to provide public justification for Steve's efforts to make the CVE more timely, but I guess it has come out awkwardly more as an attack than the justification I wanted to provide)  >As you and I also discussed in private, I >would like to get candidates out at least once a month. That means a >few days of editing, once a month. (As I said, I'm doing more >refinement now, too.) The 6 week delay for this last batch is >disappointing because it's 2 weeks overdue, but as you may recall from >the private emails, there were many reasons for those delays. What I recall from emails is that you were trying to release them every two weeks (it's been 3 times the expected delay). That much should be possible without "detriment to the broader work that MITRE is doing with CVE"? regards, Pascal -- Pascal Meunier, Ph.D., M.Sc. Assistant Research Scientist, CERIAS Purdue University