再保险:前轮驱动:CVE问题

在2016-01-17 20:12 Kurt Seifried写道:>太阳,1月17日,2016年在11:15,拉< radekk@protonmail.com > <mailto: radekk@protonmail.com> >中写道:cve-assign@mitre.org <上> >我问mailto: cve-assign@mitre.org> > CVE数字保留一个星期前,它仍然没有>响应。这是一个标准的处理时间吗?是伟大>以前CVE分配公开披露的漏洞。>为什么这仍然是一个问题吗?是别人得到这样的邮件仍然>(例如CERT ?)。我为每一个电子邮件我得到图>必须有更多的人放弃= (。我们看到类似的请求,尝试了各种阴谋诡计的分配政策。1。披露我们直接参与,我们分配(如果没有其他供应商/ CNA可用,或如果一个供应商CNA并不分配时应该…)。2。 For high-confidence requests (typically researchers and other CSIRTs we have experience with) we usually also assign. 3. For "hey, I found this vul and got it fixed and need a CVE" we redirect to MITRE. Even when the requester has already asked MITRE and is asking us after. Our difficulty with #3 is that it's non-trivial effort to ask for details, sort out abstraction/content decisions, go back and forth with the requester, then issue IDs. I'm sure Jonathan understands this :) We could potentially hand out IDs like candy (like Kurt!), but our thinking was to limit our CNA scope to cases we are already close to, and to not create more backlog for MITRE. For those keeping track: CVE requester --> Cisco | Symantec --> CERT --> MITRE. A couple things for the list Kent started: * CVE assignment and CVE entry creation are distinct. * The authority/distribution of CVE assignment across CNAs needs to be clarified. Regards, - Art