再保险:CNA规则公告

拉里,谢谢你的注意。>我不公开发布的细节漏洞给>供应商时间修好它。会在网页上面的细节>形式帮助你在这个过程吗?或者你不需要细节>直到披露上市?一件事应该指出。“通知CVE出版”形式应该只用于当你CVE ID (s)的问题都是公开的,可以填充的CVE库。看起来,你可以把明天的日期到形式和期望CVE存储库条目会等到明天,但是请记住,这个过程还没有自动化。如果改变,还在你身边,你需要等待出版。目前就没有简单的方法来改变这个日期。就目前而言,这将是最好的如果你只使用表单的问题一旦CVE ID被发表在你的身边。 I am definitely open to comments and suggestions on this as well. As for the fields themselves, we are definitely aware of the fact that the current “Notify CVE about a publication” form does not follow Appendix B exactly. This is mostly a side effect of us creating the CNA rules *after* we created the web forms. We will need to either update the Notify of publication form, or just create a new form specific to CAN notification of publication. In the meantime, I think it makes sense to just include the data in the Additional information field. The field should be large enough to hold a reasonably sized set of fields from Appendix B. The form already has specific fields for the CVE ID and advisory reference. I believe the reference field will allow multiple references separated by a new line, but if not then this could also be included in the additional information. As I had stated previously, this works ok if you have one or a couple CVE IDs to publish. If you have a number of IDs to publish all at once, the best option currently would be through email. If anyone else on the list has any additional suggestions or thoughts on the topic, please don't hesitate to share them. We will most definitely be thinking about methods for automation around this process as we move forward. Thanks for the feedback! Chris -----Original Message----- From: Larry W. Cashdollar [mailto: larry0@me.com发送:星期五,2016年10月07,上午11:13:棺材里,克里斯< ccoffin@mitre.org > Cc: cve-editorial-board-list < cve-editorial-board-list@lists.mitre.org >;cve-cna-list < cve-cna-list@lists.mitre.org >主题:Re: CNA规则宣布你好,在填写表单发布CVE我以为你可能有相同的字段规则文档中要求:[CVEID]:[产品]:[版本]:[PROBLEMTYPE]:[引用]:[描述]:我不公开发布的细节漏洞给供应商的时间修好它。将在web表单上面的细节帮助你在这个过程吗?或者你不需要细节,直到披露上市?谢谢!拉里(到目前为止,这已经是一个非常曲折的过程我很高兴)> 10月7日,2016年,在十一14点,棺材,克里斯< ccoffin@mitre.org >写道:> >问候,> >周一,10月10日,所有区域都应该分配CVE id >基于新的CNA这里列出的规则:> > <http://cveproject.github.io/docs/cna/CNA%20Rules%20v1.1.docx> > >当你使用这些新规则,请共享任何反馈>你可能会与其他CNA社区和斜接。我们>想知道什么是工作,什么不是,这样规则>程序的改进,以满足这额外>指导和培训可以开发基于我们集体>学习。你可以分享你的反馈通过cve-cna-list邮件>列表或直接通过CVE僧帽Web表单。> > <https://cveform.mitre.org/> > >早期评论家所指出的,规则文档不>提供明确的指导如何通知主或者根CNA >关于出版物。附录B提供了格式但不>提到的方法,这很快就会被纠正。>目前有两种可接受的方法发送请求的出版物。>第一是使用上面的web表单并选择选项>“通知CVE出版。”这个选项如果你>出版一个或者少数几个CVE id,但是可能不适合>如果发布大量的CVE id。第二种方法将>附录B中创建一个文件和电子邮件,文件>。我们希望你使用cve@mitre.org地址目前,>虽然这在未来可能会改变。> >我们打算收集和广泛分享反馈未来3 - 6 >月这些规则是有效的和电流。如果这>时间框架必须加速根据当地的情况而定,>然后将基于我们收到的反馈。> >谢谢那些在>文档的起草提供反馈。 We look forward to working with the CNAs to help get these > rules implemented and to work out any kinks. > > Please let us know if you think it isn’t time to implement these new > rules. We think it is based on the feedback to-date coupled with the > board call yesterday. > > > Chris Coffin > The CVE Team