RE: Candidate numbering scheme
Having done some serious traveling last week I was somewhat brain dead when
I made my last posts.
I have given the candidate numbering scheme some thought.
1. We definitely need the candidate numbering scheme. It give the steering
committee a common reference to the vulnerability.
2. If these number are public, how will be get people to stop using them
when vulnerabilities are accepted and given a real CVE number. Once some
starts referring to a candidate number, they are likely to continue to refer
to that number even after the it receives a official CVE number.
3. If the vulnerability is not made public until an official CVE number is
assigned, we will miss out on the discussions/validations that an open
public forum will give us.
These are just my current thoughts. I think that the CVE is a great step in
the right direction.