[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE: intellectual property/branding



Stuart Staniford-Chen asked:

>I'm interested in issues that would get in the way of the IETF saying
>in an RFC that the n'th field in an IDEF alert is a CVE number.

>what intellectual property rights does Mitre plan to assert in the
>content of the CVE?

The CVE will be copywritten but will allow unlimited distribution, but
the copyright statement will prevent its modification.  This will
allow anybody to download the entire CVE, and in fact the downloads
page on the web site allows just that.  But the copyright will be
worded to prevent someone from making changes to the CVE itself,
e.g. changing CVE-1999-0003 to be their favorite vulnerability,
instead of rpc.ttdbserverd.  I don't know the details of the GNU
public license, but it will probably be something along those lines.
Full public distribution is a requirement of an acceptable common
enumeration.

The fact that the entire CVE can be freely downloaded, where
vulnerability databases are not, could make it appear that the CVE is
in "competition" with those other resources, or a replacement for
them.  However, as long as we make certain that there is minimal
overlap between the CVE and any vulnerability database, then the CVE
could not effectively "compete" with vulnerability databases; nor is
it designed to.  The CVE has to remain neutral in that regard,
especially since it's designed to link between vulnerability
databases, not to replace them.  I believe that Editorial Board
members understand this, but every design decision we make with
respect to the CVE has to consider these implications, especially in
CMEX.  And the CVE often appears to be a vulnerability database to
someone who's not familiar with it.  The web site's FAQ and front page
make this distinction clear, but it may not register with the average
security analyst.

I would prefer that we also provide CMEX (or a portion) due to its
benefit (especially references), but that is a debate I've scheduled
for sometime in August.  There were some initial concerns at the SANS
meeting that may not have been fully addressed yet.

>More nebulously, there's the issue of branding.  At the moment, it
>looks to me that Mitre is definitely positioning this as "The Mitre
>CVE" with the Mitre brand strongly linked to it.

Since the CVE's inception, we have had a number of internal shifts in
how we refer to the CVE.  In the paper that Dave Mann and I presented
at the CERIAS workshop, we discussed the possibility of multiple
CVE's, and we would often talk about "a CVE" in a generic sense.  When
we started actually creating a CVE, we began referring to it as "the
MITRE CVE" to distinguish MITRE's work from other possible CVE's.
However, we believe that "the CVE" and "the MITRE CVE" have now become
interchangeable and synonymous.  So we're moving to "the CVE" both
because there's only one CVE, and it re-emphasizes the fact that the
CVE is the result of a community effort, not just MITRE's.  Note that
this most recent change in terminology was decided by the president of
the company.

>A possible route of evolution for the CVE would be for it to be
>published periodically as an RFC.  Steve and other Mitre folks are
>still the authors, but it becomes a standards track document.

There are a number of long-term possibilities, this being one of them.
MITRE will choose the long-term strategy that best serves the public
interest.

I am trying to arrange for senior management to talk to the attendees
at the CVE Review meeting in August.  There have been a number of
high-level questions that require answers from my management.
Certainly I can't answer for the company in some of these areas, but
the CVE does have support across the board, including MITRE's
president.  They will be able to address your larger concerns.

- Steve

 
Page Last Updated: May 22, 2007