再保险:非公开的信息来源

这对我来说很有意义。帕斯卡在结婚,1 -0400年4月2015 10:39:39“波义耳,斯蒂芬·v .” wrote: > Recently, two named sources of vulnerability information for CVE, Secunia and > X-Force, have implemented login requirements, and have restricted which logins > are allowed access. We recognize that such restrictions are part of a trend in > which some sources are attempting to balance their desire to provide the > public with useful vulnerability information with the fact that it is often > very expensive and resource-intensive to curate such information. > > As has been our documented practice, CVE can only refer to information that is > publicly accessible and free for use by anyone. Any source referenced by CVE > is free to implement any form of access control, such as a login, as long as > the control (1) does not limit which people or organizations can use the > source, and (2) does not impose any excessive inconvenience to the user. > E.g., if any requester can create and obtain a login for otherwise > unrestricted access, such as by providing an email address, CVE still > considers the source to be "public." > > If, however, access to the information is denied by the provider for any > reason that MITRE determines is intended to limit who is allowed to access > it, then the source is not considered "public" by CVE and will be not be > used, even if CVE is allowed access while others are restricted. Similarly, > any public source referenced by CVE cannot contain any restrictions for the > sharing or reuse of its information, beyond the usual expectations that users > include proper attribution to the source, avoid plagiarism or reposting, etc. > Sources that are inherently open without restrictions, such as > Full-Disclosure or Bugtraq, are presumed to have no access restrictions. > > As a result of Secunia's and X-Force's decisions to restrict access to their > vulnerability information, we wanted to formally notify the Board that CVE > will no longer reference Secunia or X-Force in our entries. If their access > policies change in the future such that they again become publicly > accessible, then we will again reference their vulnerability information. > > Please note that although OSVDB restricts access to its search functionality, > CVE still considers OSVDB as a "public" source. While CVE no longer directly > monitors OSVDB's site, since OSVDB allows people with interactive web > browsers to access individual OSVDB entries, CVE is free to reference > OSVDB entries as long as they are cross-referenced in some other source > or disclosure that is publicly available. > > MITRE is not considering the removal of previous entries in the CVE List that > cite Secunia, X-Force, or other sources from the past that were originally > public but then restricted, such as VUPEN. The references were public at the > time we associated them with the CVE entries and may serve as important > correlating identifiers, or they acted as the primary or secondary source of > information in the CVE description. Any such mass removal would affect > thousands of CVE entries, which would have unexpected adverse impacts on > downstream consumers who monitor and act on CVE changes. > > Best Regards, > The MITRE CVE Team