[CVEPRI] Upcoming Editorial Board tasks for CVE content
As we approach the 1-year anniversary of the first Editorial Board
meeting at SANS-Baltimore on May 9, 1999, we will be entering a new
phase of activity for CVE content. Other MITRE activities continue,
such as communications and Editorial Board recruitment, but they are
not detailed here.
Relatively speaking, things have been quiet in the past two months
since the Editorial Board meeting at AXENT. At the meeting, we
discussed some near-term activities that I haven't yet started. As a
result, we didn't achieve the content goals that had been slated for
May 1. This isn't all bad news, however. The work we've done at
MITRE behind the scenes should make future activities easier. And in
April, we finally had more entries than candidates! (Unfortunately,
that will change very shortly :-) Also, we achieved a milestone when
ISS began to release security advisories that included candidate
numbers, and we received another request for a candidate from a
reliable non-Board member. Finally, while we didn't achieve the goal
of 700 entries, 644 isn't too bad (CVE version 20000425).
Many of those delayed activities will begin in the course of the next
month or so. Hopefully we will not miss one of the primary goals of
achieving 1000 entries by September 1.
Here are the new activities that will be undertaken shortly.
0) You've already been witnessing some "cleanup" with respect to
making final decisions on older candidates. This activity will
continue, but much of it will ultimately depend on resolving
content decisions (see below).
1) An online voting capability is being actively developed. This
should make it easier for everyone to vote on candidates, and to
see other people's comments. Regular voting Board members have
reviewed a first draft of a voting ballot, and later drafts will be
made available to the whole Board for feedback, as the hope is that
this will make voting easier for members who don't vote regularly.
The first version will incorporate a number of features that were
discussed at the Board meeting at AXENT. The engineering is not
complete yet, but access will be restricted to Board members.
2) Candidates for all advisories published in 1999 will be created and
proposed to the Board. These will include advisories from software
vendors, security vendors, and response teams. We are initially
focusing on advisories because (a) they are often major issues, (b)
the problem is known to exist because it's acknowledged by the
vendor, and (c) since they are advisories, we can have a concrete
measurement of how well CVE is covering these issues. The Board
should be able to quickly process these candidates.
3) We wish to obtain copies of Board members' databases in order to
create the remaining set of legacy candidates. A subsequent email
will provide details for this request. A related effort will be to
create a "focus group" of participating Board members who will
actively work toward getting 80% of their products to map to CVE
names, provided they commit to voting on those issues.
4) There are over 40 content decisions, few of which have been
approved by the Board. These CD's are now holding back the
acceptance of up to 300 candidates. Discussion with the Editorial
Board will be re-opened for a few CD's at a time, beginning with
the ones we discussed at AXENT that *didn't* generate hour-long
debates :-) The resolution of CD's should allow us to ACCEPT (or
RECAST) a number of candidates that were proposed to the Board as
early as June 7, 1999.
5) CVE compatibility requirements will be modified to reflect the
feedback at AXENT and our own internal review, further discussed
and refined by the Board, then published on the CVE web site.
6) Modifications to CVE entries will be taking place. For the most
part, this involves adding references or making minor changes to
the description. In some cases, we will need to REASSESS certain
entries based on new information and/or CD's. The process for this
still needs to be refined, but it will probably be simpler than it
is for candidates.
7) If there is sufficient demand for MITRE to perform private
candidate number assignment (i.e. for issues that aren't public but
will be announced shortly), then we will examine the possibility of
opening up the process to other Candidate Numbering Authorities
(CNA's), who will be given the capability to assign candidate
numbers themselves. This has been discussed at various times in
the past, but we are revisiting the issue as a result of recent
8) We will be making a number of enhancements to the CVE web site to
make it more usable to "end users" and mappers. This may require
making some portions of CMEX publicly available, e.g. which content
decisions are preventing a candidate from being accepted. However,
we will be careful to avoid overlap with existing vulnerability
databases whenever possible.
REVIEW OF GOALS
As a reminder, here are the basic goals for CVE content that we
discussed at AXENT. I've adjusted some numbers and dates as a result
of recent activities.
1) Receive 10 vulnerability databases from Board members, to help
1) Primary Goal: have CVE include a total of 850 entries (i.e. add
about 200 more entries).
2) Add 500 more legacy candidates.
3) Create candidates for advisories published in 1999/2000. For those
candidates not affected by unresolved content decisions, move them
into the Entry stage, i.e. get them added to the official CVE.
These candidates will count as part of the 500 in step 2.
4) Discuss and resolve 15 content decisions.
1) Primary Goal: achieve 1000 total entries.
2) Add 250 more legacy candidates.
3) Create candidates for all problems announced in 1999 and 2000.
4) Expand CVE to cover 80% of participating tools or databases.
5) Discuss and resolve 15 content decisions.