Re:所以一些盲点,因此CVE的服务的讨论

来:丽莎奥尔森<elolson@microsoft.com>,Kurt Seifried <kurt@seifried.org>,cve-editorial-board-list <cve-editorial-board-list@mitre.org>
主题再保险:所以一些盲点,因此CVE的服务的讨论
从莫尼耶:帕斯卡<pmeunier@cerias.purdue.edu>
日期-0400年结婚,2018年10月31日14:20:33
Authentication-results:防晒系数= softfail(发送者的IP 192.52.194.235) smtp.mailfrom = cerias.purdue.edu;imc.mitre.org;dkim = none(消息没有签署)header.d =没有;imc.mitre.org;dmarc =失败行动=没有header.from = cerias.purdue.edu;
交货日期:11月1日星期四07:55:49 2018
在回复:<MWHPR21MB086477D7DF851DAF614C0B93B9CD0@MWHPR21MB0864.namprd21.prod.outlook.com>
引用:< CABqVa3_GT0qr2Y2Svn3J8_s0rJGELSrXTOnDL0PaO1GoRdd5 = Q@mail.gmail.com > <MWHPR21MB086477D7DF851DAF614C0B93B9CD0@MWHPR21MB0864.namprd21.prod.outlook.com>
应答:<pmeunier@cerias.purdue.edu>
Spamdiagnosticmetadata:NSPM
Spamdiagnosticoutput:1:9 9

丽莎,我喜欢这个文档,除了要求“你找找,有一些客户可以检测早期开发。”That assumes you have perfect knowledge of what a customer would or could do, but the customer can have a different perspective. For example, a customer may decide that the best action is to change providers! That option will likely not be considered as something a customer can do, by the provider, one reason being the conflict of interest. Pascal On Wed, 2018-10-31 at 17:20 +0000, Lisa Olson wrote: > I’ve been brainstorming with colleagues here are Microsoft. The > attached document > distills our thoughts and provides some examples. > > From: Kurt Seifried  > Sent: Thursday, October 25, 2018 10:32 AM > To: cve-editorial-board-list  > Subject: So some blindspots that came up as a result of CVE for > service discussion > > So we had a good CVE for services discussion today and some > blindspots were identified, > the biggest one (and something the board will have to deal with) > being: > > CVE Database - practical vs. theoretical? > > So in past the CVE database has largely been for exploitable > vulnerabilities, although > we don't require proof of exploitation typically most are pretty self > explanatory, We do > have cases like the Linux Kernel where we, out of caution, assign a > lot of CVE's (http:/ > /cve.mitre.org/cgi- > bin/cvekey.cgi?keyword=linux+kernel<https://na01.safelinks.protection.outlook.com/?url=h3 > ttp % % 2 f % 2 fcve.mitre.org % 2 fcgi - >本% 2 fcvekey.cgi % 3 fkeyword % 3 dlinux % 2 bkernel&data = 02% 7 c01 % 7 celolson % 40 microsoft.com % 7 c559 > 77085 ef7c4896844808d63a9ffe5d % 7 c72f988bf86f141af91ab2d7cd011db47 % 7 c1 % 7 c0 % 7 c6367608561853 > 43092 sdata = aBr1GPrl0N6oM6yXYOxgNFAPZQQ7JxWuK % 2 bjbnkvejog % 3 d&reserved = 0 >;) > >因为通常这些缺陷发现可利用的有足够的工作。> >不过的一个方面是与软件我们不知道它是否>一直利用>,我们甚至不知道在某些情况下运行这个东西。> >这使我们到云,大多数云提供商不少>日志记录,并且可以在>某些情况下肯定说“是的服务X有一个漏洞,>但我们检查所有>日志和它从未利用/触发”,所以在这种情况下我们肯定> >漏洞,但是我们也有(据我们所知)>它从未>剥削的确凿证据。> >在这种情况下,如果我们有证明它不是利用,应该得到> CVE与否?我看>参数两种方式,但我想让董事会承担>。> > - - > Kurt Seifried > kurt@seifried.org <mailto: kurt@seifried.org>

跟进:
- Re:所以一些盲点,因此CVE的服务的讨论
  - 来自:Kurt Seifried < kurt@seifried.org >

引用:
- 所以一些盲点,因此CVE的服务的讨论
  - 来自:Kurt Seifried < kurt@seifried.org >
- RE:所以一些盲点,因此CVE的服务的讨论
  - 来自:丽莎·奥尔森< elolson@microsoft.com >