回复：CVE ID语法投票 - 结果和下一步

在2013年4月18日的星期四，艺术策略写道：：让我重新考虑的是越来越活跃的CNA的想法。：现在，Miter谨慎地分发了ID的适度分配，通常：依次分配给CNA的数十个（？）。我认为没有太多浪费。：：我想对未来的范围进行什么，这是世界上有更多CNA（100s？）的世界：更多的任务授权（例如Modulo Slice或Big序列块：年度CVE ID空间）。在这个世界上，仍然可能不会：每年发布的CVE ID超过100万，但可能有更多以上的CVE ID分配给CNAS。分配！=出版。这是一个公平的观点。除了总体过程外，我对CNA的运行方式不太了解。我当然希望一个CNA没有被授予大型池，除非他们证明自己需要它。这样的示范只有在实际发布许多有效的CVE时才有效，并在同年请求更多。 : Another future scale issue: Automated ways to find vulnerabilities : could overwhelm the current 10K/year human-scale size of the problem. That is the primary example Carsten Eiram and I offer. A system where an automated code analysis tool can essentially auto-assign a CVE for each one found. We know the current state of this would mean an incredible number of false positives, so I can't see anyone arguing that CVE should ever move away from some level of manual review for assignment. Unless a company demonstrates a scanner that is > 90% accuracy, that absolutely should not happen. Even then, if we're seeing a CVE assigned to every valid vulnerability, no matter what the exploitation criteria are, then we're also ignoring the current policy of grouping similar vulnerabilities in similar versions. That also works against the argument we're putting forth saying "maybe 1MIL can be reached". In 14 years, we have a single example of a non-MITRE CNA issuing a significant number of identifiers, and that is Kurt Seifried of RedHat. Even with the *incredible* amount of hours he spends on it, he too has said "I can't keep up in some situations". This is no insult to him by any means, it is a basic truth. When Debian gave him a list of several hundred vulnerabilities without an ID, he said "yeah, not happening" and asked they be posted individually to oss-sec for consideration. When I gave Steve Christey / MITRE a list of ~ 260 vulnerabilities from January 2013 that had no identifier, he too said "not happening". I do not blame either one, but it illustrates the current model of CVE, and illustrates the problem with manpower and identifier assignment. 14 years and no 10k barrier breached, with CVE and CNAs saying "we can't keep up" moving forward, and the project actually moving into a position to assign about the same number as previous years, if not less. I don't see a 1MIL scenario happening unless CVE changes policy completely. If they do, then CVE also becomes entirely worthless and I don't care what barrier they hit, because most of the industry would drop them quick.