[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE Broken References

Thanks for tackling this Chris.  Using a strike-through font (e.g., "s"
HTML tag) in the examples you gave would provide an extra visual clue
that the reference is no longer available.

"The <s> tag specifies text that is no longer correct, accurate or

I would prefer #2, also with links to any other archiving service that
might be useful, if only on the basis they are suggestions that might
be helpful.  The phrasing you chose makes it clear it's not a
commitment so you shouldn't receive complaints.  

If you were able to count the number of times those links are followed,
it might either provide support for a more systematic, permanent
archive, or make the point that some time after a CVE is published,
very few people care.  Perhaps the best benefit/cost is automated
caching for a while.  On the other hand, if only plain text is
archived, a permanent archive may be cost-effective.  A permanent
archive would never require you to modify anything.


On Tue, 2017-10-31 at 19:04 +0000, Coffin, Chris wrote:
> All,
> In continuation of the Board call discussion regarding broken
> references, the CVE team created a few examples of how we might deal
> with broken CVE references in the future. One problem that we were
> recently pointed to is where a reference domain was reused by another
> organization entirely. In these cases, we may want to modify the CVE
> reference when we become aware of this.
> A couple of points to keep in mind:
>   *   The examples here are specific to the CVE list on the web site
> only and not the CVE list downloads (e.g., CSV, XML, etc.).
>   *   If we can automate the process and the pages are likely to have
> been archived, it would probably be useful to point folks to
> something like the Wayback Machine.
>   *   It appears that some of the older references/domains currently
> referenced are not archived. For these we could just automatically
> update based on example #1 below (or something else if there are
> other better ideas)
>   *   We should probably make it clear when this situation exists,
> especially when we are including an archive reference (see the
> options below).
>   *   Including the Wayback Machine links would not always be a
> guarantee a useful archive of the reference would be available, just
> that we think it would be reasonably likely for the associated
> domain. Similarly, just because we did include a Wayback Machine link
> wouldn't mean the reference won't be archived there, only that we
> didn't think it was likely to be.
>   *   We are not intending to perform proactive reference
> maintenance. The examples here apply to cases where an entire domain
> has been removed and we are made aware of it. We could also do this
> in one off situations where it seems appropriate.
> Example #1 - Remove hyperlink for broken references (see
> example1.jpg)
> In this example, we simply remove the hyperlink and mark the
> reference URL in some way that makes it clear it is no longer
> functioning. We could do this automatically for domains that we know
> are no longer existing. The point here is that the previous reference
> url does have some value for folks who are trying to track something
> down and removing it entirely would hinder this ability. What we are
> doing is just keeping the casual user of the CVE web site list from
> clicking on the link.
> Example #2 - Add archived calendar URL (see example2.jpg)
> In the second example, we have included a case where we feel there's
> a good likelihood people can find the page archived by following the
> link. The text in parenthesis would be hyperlinked to a calendar
> showing when the page appears to have been archived. In the case of
> the Wayback Machine, it appears that creating this url is
> automatable. As mentioned above in the points, I don't believe it
> would be a good idea to just change the url to point to something
> else. We would want to make it clear when the reference is broken,
> but also include the archived reference in a form such as this.
> What are folks thoughts on these examples? Other options?
> Chris

Page Last Updated or Reviewed: November 14, 2017