Re:讨论格式良好的CVE请求

在2016-05-12 18,Kurt Seifried写道:> > <http://cveproject.github.io/docs/requester/reservation-guidelines.html__ > >的DWF处理开源漏洞我计划>目前一般情况:> > CVE最低要求:>软件名称(和/或URL(如果这是一个常用的名字不止一次)(一个或多个)> >脆弱版本基础缺陷(CWE)或扬声器工作可靠触发它或> >一些体面的描述缺陷(X / Y / Z这奇怪的现象>)有安全的影响我认为体面的描述成为CVE名字/标题吗?还一个标题名称应该是必需的,即使还有一个好的CWE匹配。类似于“供应商产品(组件)cwe - 123。”Encourage good titles but accept anything reasonable. Is the above enough for MITRE to import and create a CVE entry? I think currently a somewhat trusted/authoritative public reference is also required? > Strongly required for CVE (not mandatory, but there better be a good > reason for not having these): > -Affected component (e.g. function name, URL in web app, etc.) > -Link or example of vulnerable code or a link or example of the code > fix > -What the security impact is (AIC?) if you can't explain what > exploitation accomplishes we have a problem > > Requested for CVE (it'll speed things up): > -Fixed version/commit > -CVSSv2/3 scoring information And all the above would be implemented in a DWF CSV row and collection of artifacts? Require minimal JSON file? - Art