私人/ Re: CVE的“秘密”问题

2015年11月19日星期四,Kurt Seifried写道::http://www.wired.com/2015/11/heres-a-spy-firms-price-list-for-secret-hacker-techniques/请看幻灯片2::TL;博士:vulns另一家公司获得0天,这个消息被他们:发表了他们的价格图表。万博下载包这样的::现在有几个公司(TIppingPoint, ImmunityInc等):我想知道,如果有的话,过程有关于CVE:作业,我的经验是,越早分配CVE:公开发布之前更好,理想情况下,如果可能的话。斜方达到:这些公司来帮助他们理解的价值:提前获得CVE的等等?我伸出代表OSVDB少数商店问同样的问题,同时表明失败CVE任务,他们使用自己的惟一的ID像许多公司一样。我的论点是,通过在数据库中,在某种程度上我们可以跟踪,避免重复,它有助于让他们接触。特别是在数据库,跟踪利用可用性(例如OSVDB / VulnDB跟踪利用商业和链接到公司)。一些VulnDB客户具体使用该服务,因为利用元数据进行的饲料。我不记得一个公司我和说,这是一个好主意,他们将开始。利用开发的一些商店有时会回答我的邮件要求清晰如果disclosureA是重复disclosureB美元,有时不是。经过一系列的邮件我也积极的验证,我们可以依靠具体措辞的声明表明它确实是一个新问题,对现有的利用问题。 Which leads into the confusing part... I understand that such a company does not want to give any information away about their 0day, as that is a huge part of their reputation (and thus sales). What I don't understand is that when they release a dozen exploits for already disclosed issue, they don't match them up with a CVE if one exists. Why tell people "we can exploit a remote WordPress flaw" that we know is public, but not which one? As a customer I would certainly want to know that. But, it may be a case where the actual exploit references it, and the public list of exploits released in that version / pack do not. Makes sense for existing customers, but seems like missing out on potential sales as vague descriptions like that are not very helpful. HP's TippingPoint ZDI does use CVE for a majority of their issues, and they are also very good about answering questions if there is confusion over assignments or which issue it tracks to in relation to a vendor advisory. I routinely email them and appreciate their help when it comes up. In general, most that I have spoken to consider CVE assignment as either no benefit, or possibly hurting them competitively. Further, from their eyes, what is the value if they have no plans to ever release details, and never verify it is a duplicate to another disclosure?