再保险:CVE ID语法——寻求拓展建议

是,非常感谢所有的想法!让他们来:)亚当Shostack提到早期推出一个新语法ID的可能性以触发工具链快速解决问题和力量。我相信,如果我们这样做得很快,我们可以打破太多工具链,没有准备好。我相信我们需要平衡破坏的风险工具链(会发生无论多么广泛推广)给供应商足够的时间来解决问题。例如,当哈罗德·布斯已经提到,NVD-related模式包含正则表达式和一个4位的假设。当我们把在* *新语法ID到流,可能导致XML验证错误,可以完全阻止整个饲料加工。我相信可能有很多这样的例子,在一个坏的存在ID可以阻止整个数据流,而不是仅仅几个记录——我们根本没有可见性的影响。级联故障的可能性似乎很高。但我相信时间有一些好处,可预测的发布一个新语法ID。我的想法是,在今年年底或2015年初,如果CVE尚未达到10 k ID,我们可以给公众一些警告,然后发出一些合法的情况下触发的cf截断或其他工具链的问题。另外,如果它看起来像我们可能达到10 k(这还为时过早),我们可以释放一个新的语法ID几周或几个月前我们完全耗尽的四位ID。 In the meantime, the CVE test data is still available, although it's only in the CVE web site's formats. Harold, I like your suggestion to package up the CVE test data in NVD format, since many CVE-compatible vendors and downstream consumers probably get their CVE information from NVD, not cve.mitre.org. TK asked "how will we know if we have succeeded?" That's a difficult question. If a toolchain breaks, we won't necessarily hear about it, especially for bespoke/in-house toolchains. Maybe we want to focus on whether the right people have heard the message; we can't really control whether (and how) everybody will address the problem. Some Board members have been supportive of the idea to have vendors announce their compliance. We could possibly measure success if, say, we reach a certain number (or market share) of vendors and capabilities who have announced their ability to handle the new syntax. - Steve