Re: [CVEPRI] Increasing numbers and timeliness of candidates
Pascal Meunier said:
>References are nice, but the main goal of the CVE was to give a number
>to an issue so the issue could be discussed.
Only recently has the topic moved to "how quickly the issue could be
discussed." CVE was originally intended to deal with tools, which
have a much longer development cycle than vulnerability databases and
back to the references... It turns out that references are more than
nice, they are often very important for distinguishing between
otherwise similar bugs. They can be a major time saver when someone
is mapping a large number of candidates - or even just a single
candidate. References will reduce mapping errors in CVE-compatible
products. It's easier to visually compare references than it is to
parse a 3-line description. The reference maps are also beneficial to
References are more than just pointers to more information. In the
context of CVE, they are alternate names or synonyms that people use
to talk about vulnerabilities.
>Obviously references discussing the issue can't make use of the CAN
>number until it has been assigned, which requires the release of the
>number before there are references about it...
... which is why we want to increase the number of vendors and other
parties to reserve candidates ahead of time. And timeliness wil help
Nothing is stopping any organization who's releasing an advisory or
other reference from coming to MITRE and asking for CANs.
>Timeliness is *not* at odds with the voting.
Agreed. Voting is an Editorial Board responsibility. Timeliness is
MITRE's. But timeliness also affects Board voting, for reasons I
described in the original email. And timeliness was not an original
requirement for CVE.
>You said a few months ago (November) that you would be making
>non-reserved candidates available on the CVE web site before they had
>been proposed to the board. Is it just happening opposite of that
>only this time, or are you going back to putting the candidates on the
>web site only after clustering and proposing them?
>I just wish you'd release what you have when you have it.
We don't "have it" until I've reviewed, edited, and approved it.
I believe that I explained this at length in a private email, but I'll
repeat it. It needs to be discussed with the Board as a whole,
anyway. Basically, the editing phase is now a bottleneck of sorts. I
believe I've mentioned editing to this list in the past. Work by the
CVE content team is not sent out unreviewed, just like the content of
vulnerability databases are not sent out unreviewed. "Pre-candidates"
that are generated by the content team (including me) are edited by
me. During this editing phase, duplicates are found, content
decisions still cause splits and merges, and an alternate point of
view highlights gaps in the analysis or vendor acknowledgement fields.
Not to mention that editing is the primary place of feedback to
content team members, as I described in a previous email. Only after
a "pre-candidate" is edited, can it get a number.
There were no edited "pre-candidates" a week ago. They get done in a
massive chunk, in a small number of days or sometimes hours. I
alluded to process changes in the first email of this thread. One of
the process changes is to better organize the submissions in a way
that ensures reasonable completeness. Another process change is for
me to perform editing more regularly and balance it with my other
duties, CVE and otherwise. As you and I also discussed in private, I
would like to get candidates out at least once a month. That means a
few days of editing, once a month. (As I said, I'm doing more
refinement now, too.) The 6 week delay for this last batch is
disappointing because it's 2 weeks overdue, but as you may recall from
the private emails, there were many reasons for those delays.
>In the end, the delays introduced for large batch processing are
>multiplied down the road. You're damming the river and then letting
>it all go, and we get flooded.
I understand the issues that you face. And as I've said before, we're
working on it. I believe that we've made demonstrable progress in
recent months. I'll dig up that private email and update it at a
What do others think? Our goal is to release content once a month.
Is that too infrequent? I just checked the stats. Since January
2000, there have been only 4 calendar months in which there were no
I am especially interested in hearing from the Board members who vote,
since some of them have said that the large numbers of candidates
causes problems. However, I have not heard other Board members saying
that timeliness should be a priority to the detriment of the broader
work that MITRE is doing with CVE.