[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Proposal: CVE candidate/approved numbering scheme

Elias said:

>Just exactly why would you need CAN-numbers in bulk? The most
>vulnerabilities I've ever seens any one organization publish in
>a single day has been three or four.

I agree with Russ that a new CNA might need a number of candidates all
at once.  There are also some potentially high-volume CNA's - for
example, the *Bugtraq moderators may want to follow up emails to the
lists with a candidate number, or provide one for the poster to
include in their email.  (Just a suggestion, I know there might not be
a particularly efficient way to do this, and it adds to the workload.)

But I think we should encourage CNA's to only reserve the number of
candidates they plan on using within, say, the next week or so.
Otherwise we'll introduce additional overhead by having to track a
larger number of inactive but pending candidates, as well as
increasing the risk of filling the candidate name space (i.e. 9,999
per year) due to "hoarding."  Some of that problem could be handled by
"expiring" unused candidates after a particular amount of time, but
that approach seems aesthetically unpleasant to me.

- Steve

Page Last Updated or Reviewed: May 22, 2007