备注:请欢迎Kurt Seifried CVE编辑委员会

在2015-11-04 09:26 Kurt Seifried写道:>我知道的一件事是CVE面临的外部问题(例如>人要求CVE oss-sec,然后需要一段时间),我是>想知道如果有特定的内部问题/挑战,例如>请求采取很长时间/占用资源因为穷人请求> ?我经常弹私人CVE请求回“我需要更多的信息,特别> X / Y / Z”,非常坚定和起毛报告(我>需要最小化测试用例和根本原因分析,不是一堆100 >文本文件命令行应用程序崩溃,事实证明这是所有>)。我们(CERT / CC)面临类似问题在我们CNA的角色。我们得到了研究人员要求合法的CVE ID,但低严重性/影响漏洞,否则我们不会处理或发布。一种选择是重定向cve-assign研究员,有时回来,“我已经要求他们,没有得到一个答案所以我问CERT。”I believe that CVE looks for a reasonably trusted public source of information (this might get to the sources and products lists) on which to base a CVE ID assignment and entry. So a researcher publish themselves or drop mail on full-disclosure might not be enough to support CVE ID assignment and writeup (in the case that neither CERT nor the vendor publish). While I support the idea that every vulnerability should have an identifier -- ideally a CVE ID -- there are tradeoffs with quality, quantity/scope/coverage, assignment speed, and resources. It may be that working policy is that certain vulnerabilities just don't get CVE IDs? Should a CNA (CERT) shunt requests to cve-assign or just say "no?" Regards, - Art PS, Welcome Kurt!