[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Summary of CNA Rules review session 7/11
- To: Multiple recipients <LISTSERV@LISTS.MITRE.ORG>
- Subject: Summary of CNA Rules review session 7/11
- From: "Adinolfi, Daniel R" <dadinolfi@mitre.org>
- Date: Thu, 13 Jul 2017 00:04:03 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is 129.83.29.3) smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (message not signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=none header.from=mitre.org;
- Delivery-date: Wed Jul 12 20:42:29 2017
- List-help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- Sender: <owner-cve-editorial-board-list@lists.mitre.org>
- Spamdiagnosticmetadata: 5952c28dcc454f0789fb433d26f936ef
- Spamdiagnosticoutput: 1:2
- Thread-index: AQHS+2uJs/Ejx4MSqkugoVeSz72CKw==
- Thread-topic: Summary of CNA Rules review session 7/11
- User-agent: Microsoft-MacOutlook/f.23.0.170610
|
All, On Tuesday, 7/11, we held a conference call to give the CNA community an opportunity to discuss the CNA Rules and suggest any changes they thought would be useful as we enter this year's CNA Rules
review period. The CNA Rules review process will make use of the GitHub site for tracking the suggested changes. The current list of suggestions is here: <https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/Suggested%20Rules%20Changes> Anyone interested in making a suggestion can still add information to that file. The group suggested we make use of the GitHub Issue tracker that is part of GitHub infrastructure, and we will migrate
to using the Issue tracker for the second phase of the review process. There was general consensus that the CNA Rules as they are today are working well in general. That said, the discussion pointed out a number of places where more meta-information about the CVE List
would be useful, such as better statistics on the total number of CVE IDs assigned, reserved, or rejected. Also, more information about what software is related to what vulnerabilities would be useful (e.g., the "supply chain" problem). Some of this meta-information
can be included in JSON-based submissions. Other data would need to be submitted by CNAs and Root CNAs up the chain to the Primary CNA for collation and reporting. Some rules to facilitate all this will be included in the suggestions. No one objected to making the JSON format the preferred method for describing CVE ID entries. A set of guidelines on data formats will be added to the CNA Rules which will include this idea. A number of opportunities for making use of automated tools and processes were suggested, and those suggestions will be passed along to the Automation Working Group. The meeting ended with a discussion of how to change the CNA Rules to reduce the gap in time between when a CVE ID is made public and when the entry is published in the CVE List. Any changes to the
CNA Rules would have to be guidelines instead of hard-and-fast deadlines, but having those guidelines will help push processes along within CNA organizations. The next open CNA Rules review session will be 10:30AM ET on 20 July. Thanks. -Dan _________________________ Daniel Adinolfi, CISSP Lead Cybersecurity Engineer, The MITRE Corporation CVE Communications and CNA Coordinator Email: <dadinolfi@mitre.org> Phone: 781-271-5774 |
- Prev by Date: Atlassian follow-up
- Next by Date: Re: An example of hardware/software vulns - GPUs
- Previous by thread: Re: Atlassian follow-up
- Next by thread: CVE Board Meeting Minutes - 28 June 2017
- Index(es):
