[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Mid-August Deadline for CVE Review?
All, We need to discuss timing issues dealing with the review of CVE content. The big issue here is the setting of a hard and fast release date for the CVE, which will in turn drive decisions about the review of the initial content. One of the big pieces of feedback that we got from everybody at the SANS meeting was that we only have one shot to introduce the CVE as a new thing and that we need to do the introduction right. We have taken your advice to heart and we believe that timing is critical. On the one hand, we need to provide you, the Editorial Board, a reasonable amount of time to digest the initial content of the CVE. Also we believe that a public release will generate more attention after the vacation season has passed. On the other hand, if we prolong the release too long, we run the risk of the CVE effort languishing in the mud, so to speak. At SANS, we proposed a mid to late June release date. In an attempt to balance these 2 pressures, we are going to shoot for a release date sometime in September with a possible public announcement to be made at a conference in October. In order to make a September release date, we will need to have all feedback on CVE content issues (excluding the steady stream of new vulnerabilities) resolved by mid to late August. This will give us just 2 months to complete the technical review of some 650 vulnerabilities! Shortly, Steve will be put out a more detailed announcement detailing our proposed schedule for moving the CVE entries out for review. My personal observation about this is that we clearly need to treat the review of the initial CVE content differently than what will become the ongoing review of new CVE entries. In a word, it will have to happen faster. One idea we are considering in order to facilitate faster review is to press ahead with a very aggressive review schedule. The purpose of this initial review will be to identify vulnerabilities that we find broad agreement on. For those that we can not find *fast* agreement, we propose that MITRE host a 1 or 2 day meeting in mid August. The purpose of this meeting will be to hammer out agreement on the remaining vulnerabilities. [Thanks to Adam Shostack for suggesting this to us.] So 2 direct question for you: 1) Are there any major objections to a mid to late August deadline for the initial CVE content review? If so, should the date be moved forward or back and why? 2) Would you be open to attending a workshop here at MITRE in the mid to late August time frame to deal with unresolved content decisions? -- ========================================================= David Mann || phone: (781) 271 - 2252 INFOSEC Engineer/Scientist, Sr || Enterprise Security Solutions || fax: (781) 271 - 3957 The MITRE Corporation || Bedford, Mass 01730 || e-mail: firstname.lastname@example.org