Re: [CVEPRI] Increasing numbers and timeliness of candidates
> People will reserve candidates only if the CVE is perceived as a
> timely point of reference and having a CVE number in initial
> references is desirable.
I agree and this is where getting a critical mass of vendor involvement
higher up the food chain is essential. Red Hat is a good example as we
have to deal with issues in hundreds of third party packages. We can
never expect that every open source package author is going to know about
or understand CVE, or even that the issue reporter will. So it's up to us
and companies in the same position to do the advocacy.
Since getting involved in CVE I've been trying to reserve candidates that
affect Linux vendors well in advance of issues becoming public and
distributing the names to the original reporter, other affected vendors,
in a number of initial annoucements from reporters. Get a few more big
vendors on board, get CERT reserving names for everything they talk to us
and other vendors about, and raise the profile a bit on bugtraq and then
CVE will be more timely and relevant.
Mark J Cox / Red Hat / OpenSSL / Apache Software Foundation
firstname.lastname@example.org // T: +44 798 061 3110 // F: +44 870 1319174