再保险:CVE程序优先级

如果想听到从斜方团队他们希望董事会能帮助我们如何共同推进CVE。我还想第二艺术的洞察力的评论仔细定义的问题。同样,我们想要在5年内CVE吗?我们采取什么措施去那里?2015年斯科特> 12月29日,12:57点,马尼恩艺术< amanion@cert.org >写道:> >几个收集反应……> > 2015-12-22 22,尤金·h·清单写道:> > > >网络��世界很大程度上继续�船舶垃圾,修复它> >后�模型。无论我们做什么CVE基础设施不会> >改变因果关系,并最终任何响应将打破> >负载下,一样的恶意软件存储库/命名模式。> >我的观点没有直接的CVE是旨在改变>因果关系,而是提供服务和/或数据(例如,脆弱性>识别),支持脆弱性管理等其他工作。>我们知道一些CVE当前用例,但我们不需要知道所有>。甚至能够名称/标识基础设施。 > > Now, to the scale problem, it may be possible to scale CVE sufficiently > to meet the identification goal. Or it may not, or it may not be > necessary even? Anti-malware work somehow continues without centralized > identification? We're easily above 10K/year public vulnerability > disclosures. > >> On 2015-12-22 14:28, Kurt Seifried wrote: >> I think we should really split the problem into: >> >> 1) assigning CVEs >> >> 2) the CVE database >> >> as #1 can happily exist with or without #2. > > This is an important point. #1 is identification, this thing is called > CVE-X. Some amount of information (#2) is needed to perform #1 -- > uniqueness determination at least. That amount could be reduced at the > cost of more duplicates or overall less short-term quality for #2. > >> On 2015-12-22 15:46, Boyle, Stephen V. wrote: >> Updated list discussion topics & tasks >> >> 0. The operation of CVE >> >> 1. The prioritized scope of coverage for CVE and the associated >> Sources and Products >> >> 2. A review of CVE�s major use cases (added) > ... > > I'd like to suggest a step back (or possibly up) and ask if the Board > (and other interested parties?) would be willing to focus first on > problems/issues with CVE before getting into solutions. > > "Do not propose solutions until the problem has been discussed as > thoroughly as possible without suggesting any." > >http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/> >我并不反对任何讨论的话题(也许> # 1),我不认为它仅仅是一个解决方案列表,但>过程思想是真的工作首先描述问题空间>。> >问候,> >——艺术