[上一页]日期[日期下][线程上一页][线程下][日期索引][线程索引]
再保险:程序惩罚或撤销CNA状态?
- 来耶利哥:<jericho@attrition.org>
- 主题再保险:程序惩罚或撤销CNA状态?
- 从:“史蒂文·m·Christey " <coley@mitre.org>
- 日期-0400年:星期五,2014年10月10日13:50:33
- CC:cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
- 交付给:coley@rcf-smtp.mitre.org
- 交货日期:2014年10月10日13:51:39星期五
- 在回复:< alpine.LNX.2.00.1409252348190.6528@forced.attrition.org >
- 名单有用:<mailto: LISTSERV@LISTS.MITRE.ORG ?身体= % 20 cve-editorial-board-list信息>
- List-Owner:<mailto: CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe:<mailto: CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe:<mailto: CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- 引用:< alpine.LNX.2.00.1409252348190.6528@forced.attrition.org >
- 应答:<coley@mitre.org>
- 发送方:<owner-cve-editorial-board-list@lists.mitre.org>
在星期四,2014年9月25日,耶利哥写道:>剩下的板,已经有越来越多的理由更好>监控和restict CVE任务。研究人员要求他们,>,从始终不明白CVE或抽象的过程。前问题——研究人员请求cf -分离与CNAs管理cf。我将讨论后者。(对于前者,增加各种人员的技能水平,结合我们的欲望减少访问0-day信息,目前预定期间允许某些问题未被发现。我们已经意识到这和相关问题,以及我们CNA团队将开发各种策略来减少这些错误。)一些上下文CNA-related错误:传统上,我们有大约0.5%的反对率cf总体上,但这一比例近年来上涨了,虽然我不经常跟踪这些数据或精确(还)。虽然我个人不喜欢拒绝,0.5%不显示一个系统性的问题。但由于原始CVE作业的数量也随着利率上升,原始拒绝数量明显增加。拒绝,对于我们,我相信对于许多CVE的消费者,可能会导致混乱和耗时的解决。 We do not have any formal procedures for warning, penalizing, and/or revoking CNA status, but we agree that we should develop some. One issue is that things have gotten much more complex, and what might appear to be a CNA error could in fact be due to limitations of the CNA process, many of which were discussed in the early days of CVE, if I recall correctly. When developing procedures, we also need to ensure that any disciplinary measures - when necessary - are not out of balance with the offense. However, we also need to be clear on what is causing the errors. The errors that occur are rarely due to carelesness. For example, we've learned that over time, people's jobs (naturally) shift; and the original technical lead for a CNA might move to a different role, and the replacement is not as well-trained. As another example, there are researchers who contact multiple CNAs for CVEs and effectively introduce duplicates that way (not maliciously, as far as I can tell); many researchers, especially those new to the industry, don't really understand how CVE works, and are not necessarily diligent in reading our fairly extensive documentation. As a third example, the significant media attention and urgency given to some issues, along with non-coordinated disclosure, introduces room for error. Incomplete *disclosure* coordination happened with both Heartbleed and Shellshock, and was a factor in the confusion - for which CVE was a symptom and not a cause (and, partially, a cure because we did REJECTs pretty quickly.) There are many more situations besides these. These types of errors become more pronounced when dealing with higher volumes of CVEs, with more and more people communicating using CVE, since the "network" of CVE-speaking parties effectively becomes more complex. In the coming months, we will improve our tracking for REJECTs and why they happen; consult more closely with CNAs; and consult with the Board on ways forward. - Steve
