Re: CD PROPOSAL: INCLUSION - Interim Decision 8/23
In an offline vote to MODIFY this content decision, Kent Landfield
># 4) At least 2 non-MITRE members from different organizations vote on
># the candidate, preferably 3. If there are more than 5 active voters,
># then 75% of active voters will be preferred.
>I'd require 3 votes from different organizations outside of MITRE.
So far, I haven't accepted any candidates without at least 3 non-MITRE
votes. This is a reasonable approach in theory, but we do face a
problem in practice, namely that there are only 3 or 4 individuals who
vote on any one issue, and even that normally takes a month or more to
accomplish. For example, I am very much feeling the fact that Adam
Shostack isn't able to participate actively this month, since he's a
very active voter :)
An additional challenge is that some voters will not vote on
vulnerabilities that they do not know intimately. Of course this is a
rational approach, but it prevents NT experts from voting on Unix
vulnerabilities and vice versa, which further limits the number of
possible voters on any one candidate.
We have to deal with the pure volume of older vulnerabilities that
will need to be added to the CVE. Specifically, we have (roughly)
1500-2000 vulnerabilities that will need to be "back-filled" into the
CVE. Many of the candidates that have been proposed so far are the
"easy" ones, in that they're associated with advisories from trusted
sources (from a CERT or the vendor or a respected vulnerability team);
generally, the only changes that need to be made from the original
proposal is to add a reference or change the wording of the
description. Some of these "easy" ones haven't been voted on by more
than one person, despite the fact that they've been proposed for a
month or more; many are also tested for by a number of security tools.
Of course, there have been other issues such as all the high-level
debates, and the fact that everyone has other work to do :)
I required only "2 votes" here because I wanted to allow for a
streamlined process of approving these older vulnerabilities,
especially the well-understood and prevalent ones. On the other hand,
with new vulnerability information, there's a greater burden on
validation (a topic in the EX-VALIDATE content decision), so it makes
sense to require at least 3 votes in that situation.
How about this modification:
- If at least 3 non-MITRE members vote, then the vulnerability may be
- If only 2 non-MITRE members vote, and the vulnerability predates the
initial public release of the CVE, and at least 2 well-known security
tools claim to check/test for the vulnerability, and at least one of
those tools is NOT associated with one of the voters, then the
vulnerability may be included.
[In other words: a well-known tool whose company didn't vote for an
old vulnerability, can be counted as a vote.]