再保险:CVE-10K问题(fwd)

我第一次尝试职位列表拒绝是因为电子邮件地址的变化。在这里再次;请向下滚动,我的答案有两个部分:史蒂芬·m·Christey写道:今年> 4)保持和扩展数字部分5位数。我更喜欢# 4,因为它不引入新的语义,它很简单。今年这一事实部分是原油是一个单独的质量/预算问题(见下文)。我也会使用6位数,而不是5,所以这不会发生再次(我希望),因为我看到了CVE的国际范围,可能会有更多的条目为越来越多的国家开始开发更多的软件(例如,印度;见下文)。> >处理结束,一年20 k说,问题可能需要整个漏洞信息管理> >内范式转变的行业。戴夫·曼指出,我无数次,> vulns的数量增长超过CVE资金的增长,>一直平坦,对内容生成本身>增加的风险我们的资金实际上是降低了(我不>认为大多数人理解为什么好漏洞信息不是>便宜。)无论如何,我怀疑这种增长问题是损害其他> vuln数据库/产品。 We're already seeing some of that > paradigm shift; the Board gave up voting a while ago due to the amount > of effort, you're seeing more generic vulnerability database entries > with more mistakes (probably being made by less experienced analysts > with less editorial oversight), the percentage of verified issues is > probably smaller, etc. Funding for the CVE should be a requirement for the DHS, at whatever level is needed for it to function correctly and without undue stress on team members. The CVE is a necessary foundation for vulnerability handling and research (or as I said before, "the key"), and many aspects of security. From what I surmise the strain is at a critical level and if funding isn't increased the CVE will cease to be useful and worth doing -- this is close to an all or none operation. The more vulnerabilities are "missed" the more useless it is, and I'd venture that it would have close to zero usefulness if any more than 50% of the vulnerabilities were missed, not to mention correctness issues. It would be just as useless as a dictionary missing common words, or having words with the wrong definition. If the CVE team can't be funded at a sufficient level, I regretfully suggest that the time and effort of its talented members would be better spent elsewhere, at a more rewarding activity. We would suffer greatly from that, but if we as a society are not willing to pay for it, we don't deserve it. In actuality, the CVE should be a global, international project because all of IT in the world benefits from it and depends on it. Also, vulnerabilities are more and more being generated worldwide (e.g., through branches or offshoring). Perhaps a European CVE effort could be started, funded by the EU (or an Indian effort, etc...). Ultimately (and I don't know what mechanisms and hassle that implies) it should be funded at a global level, and the numbering done by a global organization like WHO or IMF. Just by curiosity, what is the make-up of the editorial board? Is there any international presence? Regards, Pascal Meunier Purdue University CERIAS