|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [CVEPRI] Upcoming Editorial Board tasks for CVE content
All: As we approach the 1-year anniversary of the first Editorial Board meeting at SANS-Baltimore on May 9, 1999, we will be entering a new phase of activity for CVE content. Other MITRE activities continue, such as communications and Editorial Board recruitment, but they are not detailed here. Relatively speaking, things have been quiet in the past two months since the Editorial Board meeting at AXENT. At the meeting, we discussed some near-term activities that I haven't yet started. As a result, we didn't achieve the content goals that had been slated for May 1. This isn't all bad news, however. The work we've done at MITRE behind the scenes should make future activities easier. And in April, we finally had more entries than candidates! (Unfortunately, that will change very shortly :-) Also, we achieved a milestone when ISS began to release security advisories that included candidate numbers, and we received another request for a candidate from a reliable non-Board member. Finally, while we didn't achieve the goal of 700 entries, 644 isn't too bad (CVE version 20000425). Many of those delayed activities will begin in the course of the next month or so. Hopefully we will not miss one of the primary goals of achieving 1000 entries by September 1. Here are the new activities that will be undertaken shortly. 0) You've already been witnessing some "cleanup" with respect to making final decisions on older candidates. This activity will continue, but much of it will ultimately depend on resolving content decisions (see below). 1) An online voting capability is being actively developed. This should make it easier for everyone to vote on candidates, and to see other people's comments. Regular voting Board members have reviewed a first draft of a voting ballot, and later drafts will be made available to the whole Board for feedback, as the hope is that this will make voting easier for members who don't vote regularly. The first version will incorporate a number of features that were discussed at the Board meeting at AXENT. The engineering is not complete yet, but access will be restricted to Board members. 2) Candidates for all advisories published in 1999 will be created and proposed to the Board. These will include advisories from software vendors, security vendors, and response teams. We are initially focusing on advisories because (a) they are often major issues, (b) the problem is known to exist because it's acknowledged by the vendor, and (c) since they are advisories, we can have a concrete measurement of how well CVE is covering these issues. The Board should be able to quickly process these candidates. 3) We wish to obtain copies of Board members' databases in order to create the remaining set of legacy candidates. A subsequent email will provide details for this request. A related effort will be to create a "focus group" of participating Board members who will actively work toward getting 80% of their products to map to CVE names, provided they commit to voting on those issues. 4) There are over 40 content decisions, few of which have been approved by the Board. These CD's are now holding back the acceptance of up to 300 candidates. Discussion with the Editorial Board will be re-opened for a few CD's at a time, beginning with the ones we discussed at AXENT that *didn't* generate hour-long debates :-) The resolution of CD's should allow us to ACCEPT (or RECAST) a number of candidates that were proposed to the Board as early as June 7, 1999. 5) CVE compatibility requirements will be modified to reflect the feedback at AXENT and our own internal review, further discussed and refined by the Board, then published on the CVE web site. 6) Modifications to CVE entries will be taking place. For the most part, this involves adding references or making minor changes to the description. In some cases, we will need to REASSESS certain entries based on new information and/or CD's. The process for this still needs to be refined, but it will probably be simpler than it is for candidates. 7) If there is sufficient demand for MITRE to perform private candidate number assignment (i.e. for issues that aren't public but will be announced shortly), then we will examine the possibility of opening up the process to other Candidate Numbering Authorities (CNA's), who will be given the capability to assign candidate numbers themselves. This has been discussed at various times in the past, but we are revisiting the issue as a result of recent events. 8) We will be making a number of enhancements to the CVE web site to make it more usable to "end users" and mappers. This may require making some portions of CMEX publicly available, e.g. which content decisions are preventing a candidate from being accepted. However, we will be careful to avoid overlap with existing vulnerability databases whenever possible. REVIEW OF GOALS --------------- As a reminder, here are the basic goals for CVE content that we discussed at AXENT. I've adjusted some numbers and dates as a result of recent activities. June 1 ------ 1) Receive 10 vulnerability databases from Board members, to help populate CVE. July ---- 1) Primary Goal: have CVE include a total of 850 entries (i.e. add about 200 more entries). 2) Add 500 more legacy candidates. 3) Create candidates for advisories published in 1999/2000. For those candidates not affected by unresolved content decisions, move them into the Entry stage, i.e. get them added to the official CVE. These candidates will count as part of the 500 in step 2. 4) Discuss and resolve 15 content decisions. September --------- 1) Primary Goal: achieve 1000 total entries. 2) Add 250 more legacy candidates. 3) Create candidates for all problems announced in 1999 and 2000. 4) Expand CVE to cover 80% of participating tools or databases. 5) Discuss and resolve 15 content decisions. - Steve
|
||||
