|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: Proposal: CVE candidate/approved numbering scheme
Elias said: >Just exactly why would you need CAN-numbers in bulk? The most >vulnerabilities I've ever seens any one organization publish in >a single day has been three or four. I agree with Russ that a new CNA might need a number of candidates all at once. There are also some potentially high-volume CNA's - for example, the *Bugtraq moderators may want to follow up emails to the lists with a candidate number, or provide one for the poster to include in their email. (Just a suggestion, I know there might not be a particularly efficient way to do this, and it adds to the workload.) But I think we should encourage CNA's to only reserve the number of candidates they plan on using within, say, the next week or so. Otherwise we'll introduce additional overhead by having to track a larger number of inactive but pending candidates, as well as increasing the risk of filling the candidate name space (i.e. 9,999 per year) due to "hoarding." Some of that problem could be handled by "expiring" unused candidates after a particular amount of time, but that approach seems aesthetically unpleasant to me. - Steve
|
||||
