[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] Planned CVE activities for this summer



Planned CVE activities for this summer
--------------------------------------

All,

If everything goes as planned, this summer will be a very busy one for
the CVE Initiative.

We are about to follow up on a number of topics discussed at the last
face-to-face Board meeting.  Below is a list of upcoming activities.

1) Various significant issues will be discussed and decided in the
   upcoming weeks.  I'd like to schedule a teleconference for the week
   of June 18 to June 22.  Please let me know what days and times you
   are available.  We will likely be having other teleconferences over
   the summer, as there is a lot to be decided.

2) After one final Board member is added, membership will be frozen
   until we have finished the changes to the Board that we discussed
   at the face-to-face meeting.

3) On Thursday, I'll present a writeup on Board tasks, roles, and
   expectations.  The Board will review and finalize them over the
   next few weeks.  I will be sending individual emails to each Board
   member regarding the roles and tasks I've observed, then conducting
   followup discussions with those members whose level or type of
   participation is uncertain.  (There are simply too many Board
   members to discuss membership with every person at this time, and
   many of you have steady participation and clear roles and tasks).

4) At the Black Hat conference on July 11, I will be giving a
   presentation on "CVE behind the scenes."  Besides covering content
   decisions and various thorny issues we've wrestled with over the
   years, I will also publicly announce the candidate reservation
   capability which has technically been open to the public for a year
   now.  We would also like to have several more non-MITRE CNA's
   (candidate numbering authorities) in place.  There are various
   issues that need to be considered.  Next week, we expect to present
   our initial approach to CNA's to the Board.

   We also plan to conduct outreach to software vendors this month
   with respect to including candidate numbers in their advisories.
   After the announcement at Black Hat, we will concentrate on
   recruiting established researchers.

   These activities will help address the needs of people who would
   like CVE candidates sooner rather than later.

5) Since many Board members will probably be at the Black Hat
   conference, we could have an informal get-together or dinner.  I
   think the conference itself would be too "distracting" for a "real"
   meeting, so we could make it a casual affair.  Let me know if
   you're interested.

6) Once the Board's tasks and roles are finalized, we will propose a
   method for adding new members.  As discussed at the face-to-face
   meeting, many members wanted to play a more active role in
   evaluating and approving new members.  We agree that this is a
   useful function for the Board and expect to make some modifications
   to the current process.

7) Note that we are delaying the recruitment of up to 12 new Board
   members until the tasks, roles, and recruitment process have been
   addressed.  For those of you who are concerned about the increasing
   size of the Board, we should have a much better understanding of
   the "right" size and composition after all these discussions.  In
   addition, I expect that some members will be leaving the Board.

8) When the method for adding new members has been finalized, we will
   form the CIEL working group.  There are several potential members
   who might make significant contributions to CIEL.

9) After the major "Board business" is completed, we will concentrate
   on major content issues, including discussing voting requirements
   and confidence, adding legacy candidates, addressing limitations of
   the current naming scheme, etc.

10) In parallel, we will be restructuring CVE compatibility
    requirements and putting the evaluation and approval process in
    place.

11) The next face-to-face Board meeting could be held in September.
    Over the course of the next month, we will identify potential
    sites.  While RAID might be an optimal location, unfortunately
    most of MITRE's CVE task leaders have scheduling conflicts.
    (However, some of us could attend a CIEL working group meeting
    before or after RAID.)

    The week of September 17th might be best.  Please let me know your
    availability, or if you would be willing to host the next meeting.


- Steve

Page Last Updated or Reviewed: May 22, 2007