再保险(CVEPRI):越来越多的候选人和及时性

我在第一个会议,我清楚地记得timelineness——帕斯卡所描述的,而不是重复的,是一个问题。我不想脱离攻击任何东西,但是我认为我们需要保持专注于及时性,否则为什么我们真的在这里吗?我们所做的有助于提高安全性,因为它的酒吧开始第一次真正努力阐明的所有漏洞一个令人信服的论坛。它的真正价值一定是一个属性的及时性。它不会有帮助如果CVE的最佳用途是作为一个侧边栏阅读您的企业是如何入侵/出没。直到我们有时效性,我们永远不能解决第0天漏洞,在许多情况下,是回顾性的,许多企业的方式,和关键,计算环境被破坏。因此,从关键基础设施的角度来看CVE的能力是有限的,作为一个真正的引用,因为它缺乏及时性防止它被一个。同意,我们不能试图成为每个人的一切,但没有及时记录我们的有限使用。甚至从统计分析和/或数据挖掘的角度来看timeley信息的缺乏会使任何可能有用的分析。我们必须开股份的沙子CVE将现在的成长… Kevin =============================== Kevin J. Ziese, Security Scientist Global Defence & Space Group Cisco Systems, Inc. ----- Original Message ----- From: "Pascal Meunier"  To: "Steven M. Christey" ;  Cc:  Sent: Thursday, May 02, 2002 9:19 AM Subject: Re: [CVEPRI] Increasing numbers and timeliness of candidates > At 2:41 AM -0400 5/2/02, Steven M. Christey wrote: > >Pascal Meunier said: > > > >>References are nice, but the main goal of the CVE was to give a number > >>to an issue so the issue could be discussed. > > > >Only recently has the topic moved to "how quickly the issue could be > >discussed." CVE was originally intended to deal with tools, which > >have a much longer development cycle than vulnerability databases and > >notification services. > > Then I've been under the wrong impression for several years, since > the workshop on research with *vulnerability databases* where the CVE > was first discussed. Timeliness was not an issue as long as you were > dealing with legacy candidates (>6 months old). Now it is, and when > discussing NIST's CVE recommendation you agreed with the statement > that to consider "CVE as a timely and comprehensive service seems > like a reasonable expectation". Moreover, you have a chicken-egg > problem with regards to reserved candidates. People will reserve > candidates only if the CVE is perceived as a timely point of > reference and having a CVE number in initial references is desirable. > If the CVE is to be something that identifies soldiers after the > battle has long been over and when counting the dead, it's not nearly > as useful as I was hoping it would be. Which is it going to be? > > (with apologies to Steve and the CVE content team who are working > very hard already -- I sound ungrateful for their Herculean work, but > I need to have this cleared out, and I need to know what I can > reasonably expect from the CVE. I also wanted to provide public > justification for Steve's efforts to make the CVE more timely, but I > guess it has come out awkwardly more as an attack than the > justification I wanted to provide) > > >  > >As you and I also discussed in private, I > >would like to get candidates out at least once a month. That means a > >few days of editing, once a month. (As I said, I'm doing more > >refinement now, too.) The 6 week delay for this last batch is > >disappointing because it's 2 weeks overdue, but as you may recall from > >the private emails, there were many reasons for those delays. > > What I recall from emails is that you were trying to release them > every two weeks (it's been 3 times the expected delay). That much > should be possible without "detriment to the broader work that MITRE > is doing with CVE"? > > regards, > Pascal > -- > Pascal Meunier, Ph.D., M.Sc. > Assistant Research Scientist, > CERIAS > Purdue University >