[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Phases of Candidate Acceptance
All: Since the week for reviewing the CERT candidate cluster has expired, I've had to consider what the next steps were for moving from a "candidate" to an official CVE entry. It makes me nervous that there's been so little response to the CERT cluster, but if we don't move forward, we'll never get the CVE rolling. Below are 5 phases that a candidate will go through before it is accepted (or rejected) as a CVE vulnerability. As with others, these phases are open to discussion, but I'd prefer to see some discussion on the proposed candidates. To use the terminology I provide below, CAN-1999-0001 through CAN-1999-0663 have been assigned; the candidates in the CERT cluster have been announced; and this Thursday, most of those CERT candidates will move to Interim Decision. In other words, speak now on the CERT vulnerabilities, especially if you have any problems with them :) I will post another cluster later today. - Steve Phases of Candidates -------------------- 1) Assignment - CNA reserves a candidate number 2) Announcement - CNA announces the candidate (strongly preferred that it just be to the Editorial Board, if vulnerability is previously known; we want to reduce the presence of candidates in the public as much as possible). Editorial Board discusses the vulnerability and associated issues. 3) Interim Decision - Editor posts a decision based on discussion. Members have 2 days to post objections. If significant discussion ensues, vulnerability stays at Interim Decision. When is a candidate ready for the Interim Decision phase? The earliest of: - high percentage of ACCEPT votes from *active* board members - no new discussion for a week 4) Final Decision - Editor makes a final decision, announces to the board. If a CVE number is assigned, board can reliably believe that the CVE number will be used. When is a candidate ready for the Final Decision phase? When discussion dies down, or the Editor believes it is in the best interests of the community to assign a name. 5) Publication - if accepted, candidate is "announced" to the public. Otherwise, decision is recorded in candidate database, which can be accessed by public via web site.