|
|
|
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [CVEPRI] Future Directions for CVE
All, Now that CVE has reached the 1000 entry milestone and MITRE is (mostly) done with the conference circuit for the next few months, here is a high level description of the next activities we will be undertaking. 1) There will be several changes in Board membership, such as a number of new members, "substitutions" of existing members with others in their organization, and a "semi-formal" list of roles and responsibilities that will become the basis for evaluating how members are contributing to the CVE Initiative. We are also working on establishing a set of vendor liaisons - individuals that aren't on the Editorial Board, but who could give technical feedback on vulnerabilities in their own products. 2) Our next big focus will be on educating the public - and vendors - about CVE compatibility. We will finalize the compatibility requirements, establish a process for reviewing compatibility, and offer specialized logos for those that "pass" the review process. 3) We have begun to actively ask some organizations to include candidate numbers in their advisories. The current focus is on established organizations or individuals who work with vendors before disclosure. We will continue to provide candidates to others who ask us to provide them (note that Rain Forest Puppy recommends this approach in his latest vulnerability disclosure policy at http://www.wiretrip.net/rfp/policy.html, though we have only received one request since it was updated last week). The concept and use of "diligence levels" will be re-examined as this occurs. 4) The upcoming "vulnerability summit" on November 3rd may have an impact on the role of CVE in vulnerability disclosure. (See http://www.vulnerabilitysummit.org). I will keep you informed. 5) Several changes to CVE content are upcoming. (a) A new "maintenance" version of CVE will be released in the next few weeks. It will mostly add references to some entries. The Board will be given time to review the proposed changes. (b) A new approach to content decisions will be finalized, and candidates that are affected by CD's will be accepted as official entries. (c) The content team continues to process the legacy submissions that were sent in by various Board members over the summer. Many of those submissions are in the refinement phase, which is the last phase before candidates are created. 6) The backlog of "recent" candidates will be cleared in the next month as we recover from our efforts on the new web site and the conferences. 7) We have been investigating an approach for satisfying both sides of the "quality of CVE" camp. Some Board members advocate only having highly-reviewed and reliable entries at the expense of time; others want CVE entries as fast as possible at the expense of noise. The approach could also make the voting process faster and easier, but we need to develop it a little more before proposing it to the Board. 8) Pete Tasker and Margie Zuk have been actively working behind the scenes to create an "Advisory Council" of government sponsors to provide a vehicle for longer-term, continued funding of CVE. Council members are at the CIO level of their respective agencies. The kickoff meeting happened last week, and it was well received. Note that our attempts to get funding through industry have not been successful, so the current focus is on government. There is the possibility of non-US government involvement as well. Note that we are trying to structure the council in a way that does not allow members to directly dictate the course of CVE. The Advisory Council is still in the early stages. We will keep you informed of its progress. 9) Work on the Common Intrusion Event List (CIEL) continues. Bill Hill and I are wrestling with a number of issues (many of which were discussed in previous presentations or emails), but I think we're closing in on the guiding principles that are forming the creation of the draft CIEL. Since much of our work is example-driven, we will be asking Board members for IDS signature databases sometime in the future. 10) We will probably hold a teleconference in early December. Also, the next face-to-face meeting will probably be held at Cisco in Austin, Texas sometime in February or March, thanks to Andy Balinsky's efforts. - Steve
|
||||
