Re: [CVEPRI] Increasing numbers and timeliness of candidates

To: "Steven M. Christey" <coley@linus.mitre.org>, cve-editorial-board-list@lists.mitre.org
Subject: Re: [CVEPRI] Increasing numbers and timeliness of candidates
From: Pascal Meunier <pmeunier@cerias.purdue.edu>
Date: Thu, 2 May 2002 09:19:22 -0500
Cc: grance@nist.gov
Delivery-Date: Thu May 2 10:20:25 2002
In-Reply-To: <200205020641.CAA07030@linus.mitre.org>
References: <200205020641.CAA07030@linus.mitre.org>

At 2:41 AM -0400 5/2/02, Steven M. Christey wrote:
>Pascal Meunier said:
>
>>References are nice, but the main goal of the CVE was to give a number
>>to an issue so the issue could be discussed.
>
>Only recently has the topic moved to "how quickly the issue could be
>discussed."  CVE was originally intended to deal with tools, which
>have a much longer development cycle than vulnerability databases and
>notification services.

Then I've been under the wrong impression for several years, since 
the workshop on research with *vulnerability databases* where the CVE 
was first discussed.  Timeliness was not an issue as long as you were 
dealing with legacy candidates (>6 months old).  Now it is, and when 
discussing NIST's CVE recommendation you agreed with the statement 
that to consider "CVE as a timely and comprehensive service seems 
like a reasonable expectation".  Moreover, you have a chicken-egg 
problem with regards to reserved candidates.  People will reserve 
candidates only if the CVE is perceived as a timely point of 
reference and having a CVE number in initial references is desirable. 
If the CVE is to be something that identifies soldiers after the 
battle has long been over and when counting the dead, it's not nearly 
as useful as I was hoping it would be.  Which is it going to be?

(with apologies to Steve and the CVE content team who are working 
very hard already -- I sound ungrateful for their Herculean work, but 
I need to have this cleared out, and I need to know what I can 
reasonably expect from the CVE.  I also wanted to provide public 
justification for Steve's efforts to make the CVE more timely, but I 
guess it has come out awkwardly more as an attack than the 
justification I wanted to provide)

<snip>
>As you and I also discussed in private, I
>would like to get candidates out at least once a month.  That means a
>few days of editing, once a month.  (As I said, I'm doing more
>refinement now, too.)  The 6 week delay for this last batch is
>disappointing because it's 2 weeks overdue, but as you may recall from
>the private emails, there were many reasons for those delays.

What I recall from emails is that you were trying to release them 
every two weeks (it's been 3 times the expected delay).  That much 
should be possible without "detriment to the broader work that MITRE 
is doing with CVE"?

regards,
Pascal
-- 
Pascal Meunier, Ph.D., M.Sc.
Assistant Research Scientist,
CERIAS
Purdue University

Follow-Ups:
- Re: [CVEPRI] Increasing numbers and timeliness of candidates
  - From: "Kevin J. Ziese" <ziese@cisco.com>
- Re: [CVEPRI] Increasing numbers and timeliness of candidates
  - From: Mark J Cox <mjc@redhat.com>

References:
- Re: [CVEPRI] Increasing numbers and timeliness of candidates
  - From: "Steven M. Christey" <coley@linus.mitre.org>

Prev by Date: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Next by Date: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Prev by thread: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Next by thread: Re: [CVEPRI] Increasing numbers and timeliness of candidates
Index(es):
- Date
- Thread

Page Last Updated: May 22, 2007

Common Vulnerabilities and Exposures

Re: [CVEPRI] Increasing numbers and timeliness of candidates