[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Proposal: CVE candidate/approved numbering scheme

1. Mitre (or Mitre-controlled automatic mechanism) should fill in all
CMEX fields for Candidates. There's no need for this to be left to the
proposer (and we probably don't want to leave it to them either).

  - name (automatic)
  - creation date (automatic)
  - id/name of the CNA who proposed it (based on site access ID -
Login/SMIME Cert/PGPkey?)
  - status (always PENDING)
  - status explanation (blank - filled in after discussion)

2. There needs to be some mechanism for easily retrieving numerous
CAN-numbers. (i.e. we do not want to have to repeatedly hit a "Submit"
button on a web page to generate 10 numbers for reservation).

3. When the CVE is searched with a CAN-number, it should return a link
to the CAN-webpage *if* the CAN-number has been assigned. No point
frustrating folks by saying it doesn't exist on one page to have them
search again on another.

4. The results of an enquiry for a CAN-number on the CAN-webpage should
provide a contact to the proposer. (i.e. imagine a vendor who has been
told about some CAN-number by some 3rd party and wants to get involved
in the discussion to provide a fix)

Your status field definitions could probably use some discussion, but
for the sake of time to implementation, we can defer that until we get

Russ - NTBugtraq Editor

Page Last Updated or Reviewed: May 22, 2007