回复：计算CVE

在2012-03-08 11:52，Boyle，Stephen V.写道：>这听起来像是分裂的头发，但是``vulnerabilitys''>计算的``vulnerabilitys''可能很可能会进入这一点。我不是声称CVE一直保持>  - 肯特和其他人都正确地说明了适用的理由和历史，是的，有人只看着某人的原始数字>（无论是CVE还是其他）要问棘手的问题，>尤其是在很难获得的钱时。>>话虽如此，它提到的是，通过设计，总会有比``Vulnerabilitys''的CVE少。Jthere在该领域的参与者比几年前的玩家更多，每个人都有多种激励措施来发布比其他人更多的漏洞。>>再次，我并不是说没有问题。但是，我们也必须注意真实的内容，在所有漏洞报告来源中都存在什么计算问题，以及对CVE的含义。问题仍然是IMO：1。CVE适用于哪个水平的抽象？2. CVE适当的完整性水平？我们定义“漏洞”，命名/计数的东西有多狭窄？ Is there desire/need for an accurate count of vulnerabilities? OSVDB either abstracts a little more narrowly than CVE and/or collects more vulnerabilities, so OSVDB has higher numbers. If CVE or any other database were to try to name and count all publicly disclosed vulnerabilities, it would be important to be able to distinguish between a vulnerability that is one of a dozen XSS bugs in a PHP web app and a vulnerability that is a straight up stack buffer overflow in httpd. Sure, count them all, but be able to say that out of 20K vulnerabilities named this year, 61% were XSS or SQLi in web apps with low distribution. I'm guessing at some numbers in the above example, but this is a big reason IMO that CVE numbers have declined. Vulnerabilities "worth tracking with a CVE" have declined, not the total number of vulnerabilities. Another way to look at it might be that thee criteria for "worth tracking with a CVE" has changed. And we're not even talking about threat or asset values (both of which have changed over time, and are different depending on your site/assets), which influence risk. So a decrease in CVE IDs has little directly to do with internet risk overall. - Art