开放安全基金会(OSF)——CVE ID语法变化第二轮投票选举

在星期二,2013年5月7日,博伊尔,斯蒂芬诉写道::CVE ID语法变化——第二轮投票投票:截止日期5月22日,2013年,美国11:59投票之前,我想去记录上说这已经成为选择两害相权取其轻。我不满意或者格式和相信董事会所做的伤害。就我个人而言,我认为,许多在黑板上已经完全遗忘了董事会成立的原因,使用他们的立场提供影响特定于自己的欲望,或者是欲望,最适合* *组织。作为一个提醒:http://cve.mitre.org/community/board/manbetx客户端首页公司创建了CVE编辑部冠冕,温和派董事会讨论,和在整个过程中提供指导,确保CVE符合公众利益。请注意,最后一点;公众利益。现在,重读之前投票和考虑。“我们大部分的工具和流程已经支持这种方法。”"Future proofing is important to $MYCOMPANY." "... we don't want to confuse our consumers with a significantly different numbering scheme." For many board members, this clearly isn't about the community. This is about your company, and your consumers, which is ultimately your profit center. That, is not the public interest. As for the vote, the following is how the Open Security Foundation (OSF) is voting: : FIRST CHOICE: OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999 : REASONS (first choice): Only slightly lesser evil than the other option, the future proofing is obviously beneficial. Since previous years will keep the 4-digit format, this option will build on that, adding the extra digit as needed. OSF thinks that this slightly outweighs the negative aspect of transcription error frequency, that we feel will increase. Really, you have seen disclosures lately, right? Many of them can't present their own vulnerability findings without typos and errors. We already see typos in the current CVE scheme from large vendors and vulnerability broker services. That said, this option is unfortunately the way to go. : ***************************************************** : : SECOND CHOICE: OPTION A: Year + 8 digits, with leading 0's : REASONS (second choice): Moving to 8 characters is complete overkill and devalues the format, making OSF feel this no longer is the best solution for the industry at large. The standard length is a great benefit to help ensure accurate CVE numbers are used between researchers and organizations. However, too many leading 0s will also lead to transcription errors. If Steve Christey issues CVE-2014-01234567 for the 'Sushidude-in-Pumps Tequila Overflow', I can be sure that the number is properly formatted, and that in his drunken stupor he has not dropped a digit. Using the other option, any number he sends me cannot be validated quickly with the varying length. And we all know he is a shady character. But, if he has to issue CVE-2014-00000012, that is just as likely to get murky as us old geezers squint to count the zeros. I could have added an extra 0 to that last example, and I bet no one would have noticed. Since prior years will continue to use the 4 digit format, instead of converting to lead padding to maintain a truly universal identifier, this also means that the primary strength of this format is lost, as we are NOT using a fixed-length identifier. We're using a fixed length of 8 digits only for 2014 on. If we're going to use varied length identifiers, this becomes the slightly more absurd/evil option.