再保险:什么是未来的CVE -范围、体积和质量呢?

阅读马克的评论他的反应也会增加我的他。我个人直接与cve-editorial董事会不再处理。然而,我的团队功能作为我们自己的产品,所以我们的中央社与横切CVE团队密切合作。2。什么关系CVE应该与任何国际努力(比如IVDA)来识别漏洞在基于非英语市场披露?议员——我只能说我们的产品但是很多他们需要定位成几个当地语言根据特定产品和安全问题被解决。很多我们的披露日期实际上是基于局部更新的可用性/补丁的“本地化”的产品以及基础英语版本。马克的建议非英语语言产品的区域必须不坏但相同的配合和管理可能是一个问题。CNA赛门铁克产品的问题,我们总是一个问题问仪在实现最初的报道问题是协调过程,“你打算联系僧帽CVE ID或你已经联系了CVE斜接吗?或者,你愿意我们处理?” Surprisingly enough, we have had the occasional finder make their initial contact with us with a CVE ID already assigned even before we have verified the validity of their finding. Usually though, we coordinate smoothly on assigning the CVE. We have even assigned one of ours to multi-vendor issues as a result of on-going coordination during the resolution and remediation process. As Mark stated in his response, we too have found ourselves going to the content decision section on the Mitre page or firing off a "what-if" question to Steve. Not sure it's a matter of training, rather, one of getting something in occasionally that makes you scratch your head. We haven't had much of a problem with duplicates but that's required some vigilance on our part to ensure we are making the right, or best-guesstimate, content decision. Also effective coordination with the finder or with the coordinating organization of a multi-vendor issue to ensure multiple CVEs aren't being assigned to the same issue requiring unraveling at some point. Still reading Kent's point paper but he's making some valid points as well. Thanks, -Mike -------------------------------------- Mike Prosser Product Security Team Symantec Research Labs Office of the CTO, Symantec Corporation