[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Regarding CVE assignments on oss-sec mailing list



What do we as the board need to do in order to fully define the issue?

- Do we need to find a way to get more resources for MITRE?
- Is there a depth of research required issue as well?
- What process step are we stuck on the most often?
- Do we have any process metrics available so we can make informed inputs?

We could in parallel start thinking about potential solutions.  I do agree
with Art that we need to understand the issue well before we jump to solutions.

I think MITRE really needs our help on this.   We need to solve this to
help that team continue to succeed.

Scott



> On Nov 27, 2015, at 1:14 AM, Art Manion <amanion@cert.org> wrote:
> 
>> On 2015-11-27 00:31, Kurt Seifried wrote:
>> 
>> On Thu, Nov 26, 2015 at 10:27 PM, Art Manion <amanion@cert.org
>> <mailto:amanion@cert.org>> wrote:
> 
>>    The current assignment model/process is under stress and probably needs
>>    to change for CVE to remain broadly useful and relevant.
>> 
>>    Any thoughts on how to go about this?  Starting with an evaluation of
>>    current state/issues?
> 
>> So I know we have something like 1000+ assigned CVE's that are public
>> and not in the database yet. So the backlog is real.
> 
> So that's an item under current state/issues.
> 
>> One thing I had suggested to Steve Christey ages ago was "lightweight
>> CVEs", e.g. instead of a full write up, just at least give the url for
>> the OSS-Security assignment, or the official vendor advisory/etc (for
>> cases where I had privately assigned it for a project/etc.). At least
>> this way people can track down some info on the CVE easily (you can
>> Google, but you get a lot of "reserved CVE" hits you need to filter
>> out). These lightweight entries could always be promoted to "full CVEs"
>> later on if needed.
> 
> I generally like the idea (a speed/quality tradeoff), but let me suggest
> some process -- figure out where CVE is and what problems it faces
> before trying to solve them:
> 
>  http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/
> 
> Regards,
> 
> - Art


Page Last Updated or Reviewed: November 27, 2015