RE: cf列出错误在斜方保留

肯特问道:>不是CNA发行过程的一部分发送横切CVE发出相关信息,当一个人吗?>……CNAs发送他们的作业吗?始终没有作者自己的CVE描述。他们也通常不通知当他们出版的冠冕,但这不是RBP相关积压。我们通常是意识到当一个保留CVE已经发表,因为我们监控其他CNAs已经公布的来源(有时是CNAs本身,Bugtraq、vuln DBs,等等)仅仅因为一个CNA分配一个CVE ID,这并不意味着必备的CVE将产品或将列入足额的来源。一些CNAs cf提供给其他各方,充其量只是部分覆盖率;例如红帽支持很多私人协调许多开放源代码发行版——不仅仅是自己的,加上他们的角色在许多第三方包分配cf oss-security邮件列表。斜方本身也是很多的主要CNA CVE预订不是高优先级产品或来源。一旦我们意识到保留CVE,然后斜方负责填充(写作)CVE描述和链接到至少一个参考。 It's often analytically expensive to resolve often-significant inconsistencies or errors, extract the relevant details, write the description, and map to references. We also have other kinds of complexity, such as identifying duplicates or resolving inappropriate abstraction (i.e. SPLITs or MERGEs). This analytical overhead has been a major contributor to our RBP backlog, in conjunction with the massive increase in CVEs being reserved in the first place due to the success of the distributed CNA model. We have been increasing our productivity, which is why we are now able to reduce the backlog. - Steve