Re: CVE program priorities

Hi Pascal et al,

Pascal wrote:
> What is "the U.S. IT sector"?

As one would expect, there are many and varying definitions of what constitutes the "U.S. IT Sector." In this case, we picked the "U.S. IT Sector" as a starting point for further discussion because that has historically been one way to describe what CVE covers.  Essentially, we are asking the Board to decide on a definition of priorities that will serve the needs of the community that uses CVE. That definition may or may not turn out to be what some would consider the "U.S. IT Sector."

We share your questions about what would be included or excluded in such a  statement of priorities-we can reasonably expect it to engender at least as many questions as it might answer. However, If we collectively acknowledge that today's CVE cannot cover all publicly known vulnerabilities, then we need to have a shared understanding of the priorities it is to operate against. As you noted later in your comments, we need to balance what is manageable against narrowing coverage to the point of being inconsequential.

With regard to your comments about CVE operations and CNAs, we believe that the CNA pool not only should be, but needs to be opened up more broadly. How that is defined and bounded is subject to further discussion with the Board.

We will note that, based on our experience, we believe there should be qualifications to become a CNA, ongoing measures of effectiveness, and a framework for adding and removing CNAs. In addition, each of those should be clear and publicly documented.

You also touched on many of the topics and concepts we have been mulling over, such as global identifier schemes and other ways to support and govern the operation of cooperating or federated CVE-like enumerations. We will more fully address your and other's related questions and comments in another, combined response email.

Best Regards,
The MITRE CVE Team