再保险:CVE托管服务

一些想法基于今天的董事会会议。我认为CVE作为识别的主要目的。有一个好一点的工作,做鉴定。信息共享/出版/编目工作。识别/命名是基础设施,使许多额外的功能。“脆弱性”往往是抽象的和主观的。软件和技术迅速变化。定义/边界的“我们”“集体”称之为漏洞的发展。当前讨论的想法(1)开始分配CVE IDs web /服务漏洞,我考虑自然进化。许多讨论的定义/边界“漏洞”。 Also a separable discussion (2) about the use of CVE IDs for internal-only, non-public issue tracking. Could an organization use CVE to track vulnerabilities with no expectation of publishing or sharing? Does an organization want to? To try to narrow down the services discussion (1), I'll suggest: It should be permitted to assign CVE IDs to common web application vulnerabilities in specific sites/services (e.g., facebook.com the site, not WordPress the product). "Common web application vulnerabilities" means things in OWASP/CWE like XSS, SQLi, CSRF. Consider this a use case. There is no requirement for any provider, vendor, or CNA to try to be comprehensive. Regards, - Art