Re: CVE and NVD WAS: Counting on CVEs
: >another issue many in the industry have, that being the extra day or three
: >delay between CVE assignment and CVSS scoring. If CVE had those analysts,
: >they could get a score affiliated with a CVE assignment that much quicker,
: >not have to go through the daily push of data to NVD who then pushes it on
: >to BA.
: Two things on this.
: First, just my opinion, but I think combining CVE and NVD would be very
: bad for CVE.
: CVE operates much further upstream in the vulnerability life-cycle than
: NVD does, as we should expect. The core CVE analytical work is
: assignment of IDs at a reasonably consistent level. We need to do this
: as fast as we can while maintaining enough quality in our descriptions
: to keep the system searchable.
: The analytical work done on NVD is related, but different. They focus
: more on affected platforms and CVSS scoring. This is really a second
: phase of analytical work and trying to do that concurrently with CVE
: analysis would only serve to slow down CVE publication - and
: dramatically so.
I disagree. You appear to assume that in the proposed combining of
resources, that a CVE entry could only be pushed with this information. I
did not (mean to) imply that at all. A CVE could be pushed live, and then
a second analysis team could come behind them and add CVSS and CPE
information. This would still save a day in data syncing, and reduce extra
middle management, freeing up money for more analysts.