1) a block of CVEs for testing of CVE processing systems, e.g. CVEs with long descriptions, unicode, etc. This would be publicly available and could be used to test systems that process CVEs and ensure they work correctly (much like the CVE-2014-10000 and related).
2) a block of CVEs reserved for "internal" use (within a single organization or between organizations working on automated systems for example). The content of these would be generated by the organization using them.
Essentially the idea is you could easily add a final check for this range and not display them to users/pass them to external systems/etc (unless you're actually testing that of course). The CVE descriptions should probably make it clear that this is testing data (e.g. *** TEST ***) but that may be hard (e.g. you want one with unicode description), hence setting aside a specific block.
One idea was to use CVE-YEAR-900000 through 999999 and split it in half, 900000 through 949999 for the official test data and 950000 through 999999 for the testing of systems.
-- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 Red Hat Product Security contact: [hidden email]