RE: Candidate numbering scheme
Craig Ozancin said:
>> This could easily be automated. Set up a program that assigns the
>> next number in line in response to email from one of the "authorized"
>Must it be from an Authorized reporter? What about vulnerabilities
>discovered by non-participants.
In order to control the quality of information being brought into the
input forum, I don't think we should have anybody but authorized
reporters assigning numbers. Otherwise, we wind up on a slippery
slope of duplicating what the *Bugtraqs are already doing. I think
that if a "non-authorized" reporter presents a new vulnerability, they
should go through other existing channels - such as the Bugtraqs,
consulting the application vendor, response teams, newsgroups, etc.
Such channels would help to provide the environment which allows for a
more "mature" understanding of the vulnerability to evolve (read: lots
of people with lots of resources), without unnecessarily increasing
the workload of everyone in the Input Forum.
While I admit that this isn't an optimal approach, I think an
unrestricted, all-access numbering scheme conflicts too much with the
requirement for the CVE to represent mature vulnerability information.
However, this puts additional pressure on the CVE to be as complete as
any fully accessible numbering scheme would allow.