CVE ID语法——寻求拓展建议

最近几个月,横切一直致力于公共通信CVE ID语法变化。我们想建议编辑部如何进一步扩大我们的宣传和教育公众。1)我们为实现者找到公布更详细的技术指导和解决问题相关的语法变化:http://cve.mitre.org/cve/identifiers/tech-guidance.html这个页面包含一些广泛的测试数据,以便实现可以有信心,他们已经足够解决ID语法。例如,我们有许多有效的标识符列表可以显示解析问题(如CVE - 2014 - 2147483648引发32位表示问题),和数以百计的无效的标识符,其中一些是直接来自现实世界的CVE网站的请求。2)我们也收集CVE-compatible供应商联系信息,和我们希望电子邮件不久。然而,很有可能我们的许多接触来自组织的营销方面,我们可能并不总是达到合适的技术人员。3)我们继续定期提醒公众通过cve-announce邮件列表的语法变化,Twitter和LinkedIn。4)我们已经使syntax-related代码更改自己的网站和内部流程。例如,http://cve.mitre.org/cgi - bin/cvename.cgi?name=cve - 2014 - 1012现在提供了一个自定义页面,教育消费者对潜在和ID保护块截断问题,和http://cve.mitre.org/cgi bin/cvename.cgi?name=cve - 2014 a1012提供更具体的错误信息,当CVE id是畸形的。5)我们有提到或关注的语法进行谈判,我们,特别是在过去一年,并将继续这样做。我们也在考虑提供网络研讨会。尽管有这些努力,有迹象表明我们没有达到大家谁需要处理变化,尤其是CVE-compatible或CVE-using产品的开发人员。似乎也没有新闻感兴趣,语法变化可能被视为“旧闻”。万博下载包We would like suggestions from the Board about how we can reach the right people. For example: * Are there Board members who are willing to announce the change and/or post educational material to their customer base? If so, what form would be the most useful - PowerPoint slides, a web page, newsletter, webinar, etc.? * Would it be effective for us to encourage implementers to announce when they have achieved "compliance" with the new syntax, and then publicize these vendors? Would this be useful in fostering some competiveness to drive organizations to a resolution? * Are there ways that we can help customers to directly engage with their vendors to ensure that the issues are addressed? We have not yet directly emphasized customers in our outreach, but they might be the most effective in contacting the right people within the vendors and getting resolution. Any other ideas or suggestions are welcome and encouraged! If there is sufficient interest or need, we could have another Editorial Board teleconference that is focused on this topic. Thank you! - Steve