|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] RE: Candidate numbering scheme
Craig Ozancin said: >> This could easily be automated. Set up a program that assigns the >> next number in line in response to email from one of the "authorized" > >Must it be from an Authorized reporter? What about vulnerabilities >discovered by non-participants. In order to control the quality of information being brought into the input forum, I don't think we should have anybody but authorized reporters assigning numbers. Otherwise, we wind up on a slippery slope of duplicating what the *Bugtraqs are already doing. I think that if a "non-authorized" reporter presents a new vulnerability, they should go through other existing channels - such as the Bugtraqs, consulting the application vendor, response teams, newsgroups, etc. Such channels would help to provide the environment which allows for a more "mature" understanding of the vulnerability to evolve (read: lots of people with lots of resources), without unnecessarily increasing the workload of everyone in the Input Forum. While I admit that this isn't an optimal approach, I think an unrestricted, all-access numbering scheme conflicts too much with the requirement for the CVE to represent mature vulnerability information. However, this puts additional pressure on the CVE to be as complete as any fully accessible numbering scheme would allow. - Steve
|
||||
