RE: Sources: Full and Partial Coverage

• To: cve-editorial-board-list <cve-editorial-board-list@LISTS.MITRE.ORG>
• Subject: RE: Sources: Full and Partial Coverage
• From: "Mann, Dave" <damann@mitre.org>
• Date: Mon, 11 Jun 2012 15:44:50 +0000
• Accept-Language: en-US
• Delivery-Date: Mon Jun 11 11:46:30 2012
• In-Reply-To: <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov>
• List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
• List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
• List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
• List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
• References: <2F43C4D2BE8AD24C8AC17D8C64B379B316E94C@IMCMBX01.MITRE.ORG> <CBD696D8.32CFA%kent_landfield@mcafee.com> <2F43C4D2BE8AD24C8AC17D8C64B379B3172CB9@IMCMBX01.MITRE.ORG> <D7A0423E5E193F40BE6E94126930C4930B994ABB80@MBCLUSTER.xchange.nist.gov>
• Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
• Thread-Index: Ac0qQQlts8Vw+G+QThaLJzUyWXwFOADsby7wAA9usgAALNaBEADKTIwAAGLzIpAAL1KS4ATi1rGQ
• Thread-Topic: Sources: Full and Partial Coverage

Harold Booth wrote:
>Dave has stated that this discussion is about what the scope for CVE should
>be. As I review the discussion it seems the focus has been predominately on
>what sources should be covered. I think the focus of the discussion should
>be on what products should be covered. 

I think we are very close in our thinking and would suggest this is a both/and situation, not an either/or one.

I will work with the CVE team to produce a list of "must-have" products based on our recent EB discussions to supplement and help focus the discussion on sources.   It will be a week or two before I can get a draft of that out.

...BUT...

A list of "must-have" products won't eliminate the need for us, as a Board, to come to agreement on the question of sources.  Too many products require more than one source to adequately track.  And we clearly need to track some sources because they alert us to critical vulnerabilities that occur in products that won't make a "must-have" product list.

Damir Rajnovic wrote:
>... what is the goal we are trying to achieve by putting someone
>into "fully covered" or "partially covered" basket? Are we trying to cover
>most important products? Most used products? Most well known stuff? Sources that
>we happen to know? 

Most important to your organization and your customers/constituents.

The decision about which sources of vulnerability information to track and which ones not to track is an Editorial question of judgment.  We are looking for diverse perspective to be aired and hoping we can forge consensus out of that.  


Harold suggested:
>In keeping with the focus on products I would like to propose that the
>scope for CVE be something along the following lines (I don't intend for
>this list to be comprehensive, just illustrative of what I am proposing):
>
>Cover the top X Operating Systems
>Cover the top X(2) Desktop Applications
>Cover the top X(3) Mobile Applications
>Cover the top X(4) Networking Devices
>Cover the top X(5) Printers
>Cover the top X(6) Web Applications


We envision the lists of products and sources to evolve for a while.  If the end result is something as cleanly and succinctly articulated as what you suggest, that would be great.

First step though is that we come to agreement on the first versions of the lists.



-Dave
==================================================================
David Mann | Principal Infosec Scientist | The MITRE Corporation
------------------------------------------------------------------
e-mail:damann@mitre.org | cell:781.424.6003
==================================================================

• Follow-Ups:
  • RE: Sources: Full and Partial Coverage
    • From: "Booth, Harold" <harold.booth@nist.gov>

• Next by Date: Re: Sources: Full and Partial Coverage
• Next by thread: RE: Sources: Full and Partial Coverage
• Index(es):
  • Date
  • Thread