Re: CVE ID syntax down-select complete - Public Feedback to begin
I don't see this as in any way a competitive situation... We are trying to make the best decision for the CVE and the industry moving forward... Anyone can see my and mcafee's responses. I don't care. McAfee does not care.
I really don't see how a format could be competitive when we are talking about industry collaboration and identification of vulnerabilities...
On Jan 18, 2013, at 5:58 PM, "Christey, Steven M." <email@example.com> wrote:
> (removed the cve-assign email from the CC - the entire team can follow this list.)
> It might be feasible to package up the raw responses we get on a periodic basis, and change the announcement to emphasize that responses would be seen by MITRE as well as Editorial Board members.
> However, since some of the people providing feedback would be competitors of Board members, that might actually discourage important participants from sharing honest opinions for fear that their competitors will hear it.
> - Steve
> -----Original Message-----
> From: Art Manion [mailto:firstname.lastname@example.org]
> Sent: Friday, January 18, 2013 5:09 PM
> To: Kent_Landfield@McAfee.com
> Cc: Christey, Steven M.; Common Vulnerabilities & Exposures; cve-editorial-board-list
> Subject: Re: CVE ID syntax down-select complete - Public Feedback to begin
> On 2013-01-18 14:55 , Kent_Landfield@McAfee.com wrote:
>> Glad to hear there is a targeted list. Any chance you could make that
>> MITE-Only listeners and Board Members that request opt-in? The decision
>> is important and the more raw opinions the better from my perspective.
>> Yes, I know what I would be getting myself into... Others may not be
> I'm also slightly interested in the raw opinions, but no big deal either
> way for me.
>> As for the press, I feel the sooner we get this in the press the better
>> for all. The press loves follow ups as it give them something to write
>> about that they don't have to think up themselves. ;-) This really is an
>> on-going story anyway and it could be useful in getting the attention of
>> the public early instead of just deciding and telling industry. If we
>> want an accepted outcome that people start reacting to quickly, we need
>> to start the buzz sooner rather than later. It gets on people's radar
>> and more importantly, on product/project roadmaps so the modifications
>> can be done, tested and field in time.
> Agree with Kent, but don't feel strongly about it. You might want to
> have some talking points in your pocket if the press does pick up the
> story, even if CVE doesn't seek out press attention. "Public comment,
> ongoing process, board involved, considering various factors like cost
> of adoption/conversion, longevity, usability, etc."
> - Art