CVE响应时间

人,名单(大部分)稳定的信息来源,我想问你们要考虑的问题多快CVE id需要生产。为了这个讨论,这里时间是衡量从披露是第一次(建立和跟踪信息来源之一)的时间直到CVE id发表,一般可用。CVE响应时间相关的风险或严重性。我们认识到,有时,我们将获得的信息将使我们的反应更快一些问题,而不是别人。不过,这将是有用的对我们共同的预期响应时间只不过是基于信息的来源。作为一个起点,我想表明,问题可以回应3分层方法:快速=名义上1 - 3天正常=名义上缓慢=名义上1 - 3周,如果时间允许有两个问题要问你。Q1:这种分级响应时间的方法是有意义的,如果不是,你能建议一个选择吗?Q2:应该响应时间只基于信息来源?请回顾“必备”的来源和为每个列表,投票给“快速”或“正常”。如果你强烈感觉到响应时间应该比源决定基于其他因素,请投票给“正常”的来源,并解释哪些因素你觉得应该考虑升级快速响应。 Note, sources that are categorized as ignored will be ignored, so there's no point discussing response time. Sources categorized as nice to have will be treated as "slow", since they are only nice to have and not must haves. -Dave ================================================================== David Mann | Principal Infosec Scientist | The MITRE Corporation ------------------------------------------------------------------ e-mail:damann@mitre.org | cell:781.424.6003 ================================================================== CVE VULNERABILITY RESPONSE TIME Please vote: Fast = notionally 1-3 days Normal = notionally 1-3 weeks Government & Related Information Sources US-CERT Advisories (aka CERT-CC Advisories) US-CERT Vulnerability Notes (CERT-CC) US-CERT Bulletins (aka Cyber-Notes) CMU/CERT-CC DoD IAVAs Vendor Published Information Microsoft RedHat Apache Apple OSX Oracle Solaris Suse Mandriva HP-UX AIX Cisco IOS Free BSD Open BSD Net BSD Gentoo (Linux) Ubuntu (Linux) Adobe Mozilla Google Chrome Mailing Lists & VDBs Bugtraq Full Disclosure Security Focus Security Tracker OSVDB Oss-security