再保险:指望cf

一些反应戴夫的点,和一个新的考虑(可能应得的线程)。在星期五,2012年3月9日,曼,戴夫写道::1)全球漏洞报告——在我看来,一件事CVE:全球脆弱性报告问题。但有一件事我很确定:这个解决方案,如果它存在,我们需要发展有机:编织在一起不同的区域功能。肯定。:我认为最好的,我们的CVE社区,可以帮忙:促进全球的出现漏洞报告功能:是能够清楚地谈论我们能做什么和不能做和尝试:让尽可能多的经验教训可供他人使用。同意了。我认为这将是宣布什么漏洞信息披露的形式来源监测至少。之后,也许平均时间问题披露后一个标识符。另一个需要考虑的是,如果区域实体共享引用的出口,这将是相当容易做匹配。OSVDB为供应商想要做的一件事是交换这样的转储。 We'd provide a list of OSVDB - CVE - Secunia - BID - XSS cross references, they would provide a list of CVE - internal_id references. Each side could then import the other's data set to add a new set of references. OSVDB did this for example with Tenable for both Nessus and PVS. In a matter of hours, OSVDB could reference some 5,000 PVS references along with 40,000+ Nessus references. Think of this on a bigger scale. If CVE and JP-CERT do that, and CVE shares with OSVDB, and OSVDB and Secunia swap data sets frequently, then each VDB and regional entity would have a solid framework that achieves two things: 1. They have good cross-references, which helps avoid duplicate assignments. 2. Each entity has a concise list of CVE (or any other shared ID) that are *not* in their database, and they can investigate why. : 2) VULNERABILITY SOURCES - We've talked internally at great length on : the subject of vendors, products and sources. We've also talked a bit : about this as a Board. In my opinion, we'll drive ourselves bonkers if : we talk about vendors and products. Totally spitballing here: With the creation of so many other VDBs that do daily monitoring, perhaps CVE should dramatically change the focus. Rather than trying to monitor a percentage of disclosure sources, why not monitor a handful off VDBs? By watching Secunia, BID, and ISS, CVE could create an entry with a certain level of confidence (especially if monitoring Secunia). Further, they could have the original disclosure and three VDB references with each CVE coming out of the gate. In turn, each of those VDBs can scrape CVE and import the assignment since their ID is already in the mix. In short, CVE could become a different style of meta-VDB. -- The other point I have brought up privately, and publicly to some degree, is the CVE / NVD relationship. I know the following is kind of a unicorn at best, because of government bureaucracy, but I think it would be considerably better for the industry and those that use CVE. NVD needs to go away. Completely. The money they receive from NIST should be re-assigned to CVE. Hell, the existing contract could stay in place so very little is actually changed. For those not aware, NVD outsources the CVSS scoring to Booze-Allen junior analysts. The only real value NVD brings to the table, that so many rely on them for, is CVSS scoring. Having those same analysts report to MITRE instead of NIST would eliminate another issue many in the industry have, that being the extra day or three delay between CVE assignment and CVSS scoring. If CVE had those analysts, they could get a score affiliated with a CVE assignment that much quicker, not have to go through the daily push of data to NVD who then pushes it on to BA. Again, its the government, two agencies and two contractors that make up the mess of funding and actual work. I know it is a small miracle to make big changes like that (on paper). .b