[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Candidate numbering scheme




All:

We seemed pretty much agreed that there should be a separate numbering
scheme for "candidate" vulnerabilities that are proposed to the input
forum.  We might be able to have a mailing list which utilizes some
sort of ticketing system, but that would make it difficult to identify
multiple vulnerabilities in the same email.  I propose a numbering
scheme such as:

	CAN-<id>-YYYYMMDDn

where <id> is an "official" ID that identifies the proposer, YYYYMMDD
is the year/month/date, and "n" separates multiple vulnerabilities
that the proposer um, proposes on the same date.  The benefit of the
date in the ID is that we can immediately see which candidates are
getting "old."  In the short term, the proposer could take the
responsibility for ensuring that their number is unique, and the
encoded date helps that.

In the longer term, it may be better to have an external mechanism
that proposers can access to get more arbitrary numbers that are
guaranteed to be unique.  I believe that Russ and Adam may have some
ideas on such a mechanism.

- Steve

Page Last Updated or Reviewed: May 22, 2007