[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Advancements

Happy 2016!

Sorry for my slow reply.  Getting sick over the holidays is no fun.

CVE Issues discussed recently.

  *   Current CVE Operational Background and needed improvements
  *   CVE CNA Rules and Guidelines
  *   Existing CNA problems and guidelines to address them
  *   CVE Coverage - Prioritized scope of coverage for CVE / associated
Sources and Products
  *   A simpler counting approach
  *   Board Responsibilities
  *   US Focus of CVE in a world where software is being developed globally
  *   The Future Management Architecture of CVE Assignment - federated CVE
  *   CVE Uses - database / NVD, others
  *   CVE Backlog
  *   Funding of CVE operations
  *   The required quality of final CVE entries
  *   Board membership and the process for adding members

And I am sure there are others I have missed...

At the Face-to-Face we held at RSA last year we discussed having a multi-day
CVE Editorial Board Engineering and Organizational workshop.  The plan was
for it to be open to Editorial Board members with the major purpose of
addressing many of the outstanding issues at the time.  The set of issues has
not been addressed. We all recognize that and at the rate we are making
progress now, we may be talking about the same issues in two years with little

What we need to do is to get those interested in fixing the current issues,
advancing CVE and putting it on a successful path, to get together in the
same room for a few days to have high-bandwidth, open and honest discussions
about the way forward.

I don't see us being successful without an event such as this.  I know RSA
is once again coming up but any meeting we will have there will be limited
to potentially a couple hours due to everyones schedules.  What we need
is to have this type of F2F in a place where we can be totally focused on
CVE and it's improvements.

Would MITRE or anyone here want to hold such an event?  I suspect we would
need three days to discuss the issues and come to some agreement.  I suspect
late March or early April could be a good time to to shoot for.  We would
need to set up an agenda to assure we were addressing a prioritized set of
issues in order to get the most out of the workshop.

If we are serious about correcting CVE related issues we need this time...


Kent Landfield

Page Last Updated or Reviewed: January 05, 2016