回复：CVE ID语法投票 - 结果和下一步

在2013年4月18日，星期四，下午02:41:14 -0500，安全性Curmudgeon写道：|2013年4月18日，在星期四，艺术曼写道：||：另一个未来的规模问题：自动化方法找到漏洞|：可能会压倒问题当前的10k/年人类规模的大小。||这是我和我提供的主要例子。一个系统|自动代码分析工具本质上可以自动分配每个CVE的CVE | one found. We know the current state of this would mean an incredible | number of false positives, so I can't see anyone arguing that CVE should | ever move away from some level of manual review for assignment. | | Unless a company demonstrates a scanner that is > 90% accuracy, that | absolutely should not happen. Even then, if we're seeing a CVE assigned to | every valid vulnerability, no matter what the exploitation criteria are, | then we're also ignoring the current policy of grouping similar | vulnerabilities in similar versions. That also works against the argument | we're putting forth saying "maybe 1MIL can be reached". Let's assume for a moment that we actually have such a scanner. For example, a fuzzer plus toolchains that assess exploitability. (Of course, such a fuzzer may generate the same cases repeatedly.) Here I think we need to think about the CVE use cases. CVE is at its most useful at the boundaries between disciplines. To my mind The tool output you're describing here is more akin to a bug identifier than a CVE. If you're tracking software changes through an open source project, and managing backporting of security fixes, I can see that bug ID being useful to you as a tool for communication between package maintainers, and I can even see where someone outside would use it. For example, if Alice is checking that a list of CVEs associated with Bob's DNS server as part of Charlie Linux have been patched, she might get a list of CVEs and use them to check. In this case, I think it might be more useful to assign a CVE to a set of bugs which get updated at the same time. (This may be analagous to practices by my employer, but I am, per your implied request, not representing them here, but considering the question of what's best for the communities served by CVE.) This does not perfectly address Alice, Bob or Charlie's needs. But perfectly addressing those needs means that Bob's typical customers get an incredibly long list of CVEs with each update, and all they care about is "am I up to date." So if we want to support such a thing, we'd need to argue that ease of use for the community that's backporting fixes outwieghs ease of use for the broader sysadmin & vuln management communities. Adam Speaking for myself