再保险:CVE程序优先级

几个收集反应……在2015-12-22 22,尤金·h·清单写道:> >“网络”世界主要继续操作“船舶垃圾,修复它>后”模型。无论我们做什么CVE基础设施不会>改变因果关系,并最终任何响应将打破>负载下,一样的恶意软件存储库/命名模式。我认为没有直接的CVE是为了改变因果关系,而是提供服务和/或数据(例如,脆弱性识别),支持脆弱性管理等其他工作。我们知道一些CVE当前用例,但是我们都不需要知道。甚至能够名称/标识基础设施。规模的问题,它有可能规模CVE足以满足识别的目标。或者它可能不是,甚至可能不是必要的吗?没有集中的识别反恶意软件工作不知怎么继续?我们很容易超过10 k /年公共漏洞信息披露。 On 2015-12-22 14:28, Kurt Seifried wrote: > I think we should really split the problem into: > > 1) assigning CVEs > > 2) the CVE database > > as #1 can happily exist with or without #2. This is an important point. #1 is identification, this thing is called CVE-X. Some amount of information (#2) is needed to perform #1 -- uniqueness determination at least. That amount could be reduced at the cost of more duplicates or overall less short-term quality for #2. On 2015-12-22 15:46, Boyle, Stephen V. wrote: > Updated list discussion topics & tasks > > 0. The operation of CVE > > 1. The prioritized scope of coverage for CVE and the associated > Sources and Products > > 2. A review of CVE’s major use cases (added) ... I'd like to suggest a step back (or possibly up) and ask if the Board (and other interested parties?) would be willing to focus first on problems/issues with CVE before getting into solutions. "Do not propose solutions until the problem has been discussed as thoroughly as possible without suggesting any."http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/我并不反对任何讨论的话题(也许# 1),我不认为这仅仅是一系列的解决方案,但是这个过程思想是真的工作首先描述问题空间。认为,艺术