[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE and NVD WAS: Counting on CVEs
: >another issue many in the industry have, that being the extra day or three : >delay between CVE assignment and CVSS scoring. If CVE had those analysts, : >they could get a score affiliated with a CVE assignment that much quicker, : >not have to go through the daily push of data to NVD who then pushes it on : >to BA. : : Two things on this. : : First, just my opinion, but I think combining CVE and NVD would be very : bad for CVE. : : CVE operates much further upstream in the vulnerability life-cycle than : NVD does, as we should expect. The core CVE analytical work is : assignment of IDs at a reasonably consistent level. We need to do this : as fast as we can while maintaining enough quality in our descriptions : to keep the system searchable. : : The analytical work done on NVD is related, but different. They focus : more on affected platforms and CVSS scoring. This is really a second : phase of analytical work and trying to do that concurrently with CVE : analysis would only serve to slow down CVE publication - and : dramatically so. I disagree. You appear to assume that in the proposed combining of resources, that a CVE entry could only be pushed with this information. I did not (mean to) imply that at all. A CVE could be pushed live, and then a second analysis team could come behind them and add CVSS and CPE information. This would still save a day in data syncing, and reduce extra middle management, freeing up money for more analysts.