Impending CVE candidates for review - next week
I'll give the Editorial Board (i.e. you) a few more days to chew on
the candidate numbering scheme and raise any concerns or objections.
This may be the first real case where Dave and I will enforce our rule
of "silence implies assent," so please speak up!
Sometime in the middle of next week, I'll start proposing the
vulnerabilities in the current CVE that I think we'll all agree on.
I'll propose them as "candidates" whose numbers happen to coincide
with the current numbering scheme. That way we can start ironing out
the bugs in the proposal and debating scheme. The automatic number
generator obviously won't be ready for a while, so I'll act as the
only CNA until we've had all the current vulnerabilities reviewed.
I'm still not certain when to bring in the new vulnerabilities that
have crept up since the first draft (or with older vulnerabilities
that the editorial board members will want to add), but I believe that
reviewing the existing CVE will make the process a lot smoother for
bringing in more vulnerabilities before the first release.