[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CNA Rules Revision - Final Draft

Hi Chris,


The document looks as if it was developed piecemeal and that is part of my problem.  It is not a ‘finished’ document as it does a weak job of explaining things, uses inconsistent terminology and is missing at least one section (explaining escalations).  Too many simple statements are used to explain things. Not all have the background that MITRE has when it comes to CVE. ;-)


I am not trying to cause issues here and at first read, do not think the issues I have are going to adversely impact the underlying process the document tries to describe. I cannot speak for others but I need to review it just a bit more to be sure.  If that is the case, I suspect the best course of action would be to let the 2.0 document take effect on Jan 1 while Dave, I and others work on making a better version of the CNA Rules document, a 2.1 version.


I am well aware we do not want to change the rules the CNA’s must follow on too frequent a basis. Most of what I have seen should not impact the process the CNAs are following. Once we are done with our edits, changes and additions, we can review the two documents to see if there is any impact to the CNAs. At that point, we can determine what the next step is. 


Also, we need to reconsider the update process timeline.  Not everything needs to be re-reviewed on an annual basis. I just changed the 2.0 Charter draft I have to replace the existing “at least annually” with “as appropriate”.  If we can do this right, there should be no need to have a long and costly update process for the rules document every year unless there is a real need or change in the program that forces the update.


Sound reasonable?


Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!



Kent Landfield





From: "Coffin, Chris" <ccoffin@mitre.org>
Date: Tuesday, December 5, 2017 at 12:46 PM
To: Kent Landfield <Kent_Landfield@McAfee.com>, cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: RE: CNA Rules Revision - Final Draft




A clean copy of the document can be found at http://cve.mitre.org/cve/cna/CNA_Rules_v2.0.pdf.


Are any of the issues you are finding big enough that we should delay implementation on Jan 1, 2018? I would hesitate to delay as we have already communicated this date many times throughout the process and using multiple channels. What I would suggest is that we discuss any significant issues (e.g., rule changes) on the list and in the Board calls and determine if any of them should be handled as out-of-band. This would be a good opportunity to test out the previously discussed scenario where a significant change to the CNA Rules must occur outside of the yearly update process.






From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Landfield, Kent
Sent: Tuesday, December 5, 2017 9:51 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CNA Rules Revision - Final Draft


Dan posted this out a couple months ago.


Due to breaking my leg and being laid up I was not really able to review this, especially using the chunky approach taken for reviewing this document.  This is called a final draft, but from the message below it appears to be the final version as timelines are specified as to when this version will take effect.  I am reviewing this document now and finding issues.  I am also aware of another Board reviewer who is also finding issues in this version.  In addition, there are 50 outstanding items that are “to be considered”.  Who determined why these 50 items would be deferred?


In the future, it would be beneficial if documents such as these are sent to the Board for a final approval as they affect the program as a whole. Also, a clean copy should be sent that has all the changes listed in the document as accepted. 


I personally believe this document is in need of work. I propose we delay this version until around the time of the Face to Face summit meeting so the Board has the opportunity to review the ‘proposed final version’ of the CNA Rules in its final form instead of the ‘1 section here, 1 section there’ approach that was taken to develop it. It still needs work if we believe this to be the foundation for CNA interaction going forward. Getting this corrected now will make it easier and better for all. 


In any case, documents of this significant should require a Board vote.




Thank you, Gracias, Grazie,  谢谢, Merci!, Спасибо!, Danke!ありがとうधन्यवाद!


Kent Landfield





From: <owner-cve-editorial-board-list@lists.mitre.org> on behalf of "Adinolfi, Daniel R" <dadinolfi@mitre.org>
Date: Thursday, October 5, 2017 at 9:10 AM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: CNA Rules Revision - Final Draft




After three months of collecting the community's feedback, ideas, and suggestions, we have updated the CNA Rules.


Thank you to everyone who shared their time and energy to help improve CVE and the CNA Program!


The final draft is included with this message, along with a list of outstanding issues from the revision process.


CNA Rules v2.0week8.docx is the final draft revision for this year's revision process. (This file is also located at <https://github.com/CVEProject/docs/blob/cna-documents/cna/CNA%20Rules/CNA%20Rules%20Development/CNA%20Rules%20v2.0week8.docx>.) The final version of the CNA Rules v2.0 document will be posted on the CVE Website by October 13, 2017, and they will be in effect as of January 1, 2018.


OutstandingIssues.docx is a list of the open issues found in the CVE GitHub Issue Tracker: <https://github.com/CVEProject/docs/issues>. This document includes a brief description of the current state of each open issue.


The outstanding issues will remain open to allow the community to continue their discussions on those issues. If an issue finds resolution before the next CNA Rules revision cycle (starting July 2018), the CVE Board can recommend an out-of-band update to the CNA Rules if they deem it necessary.


If you have any questions about the updates, please let me know. If you have additional thoughts about the open issues, please share them on the GitHub Issue Tracker.






Daniel Adinolfi, CISSP

Lead Cybersecurity Engineer, The MITRE Corporation

CVE Numbering Authority (CNA) Coordinator

Email: <dadinolfi@mitre.org>  Phone: 781-271-5774




Page Last Updated or Reviewed: December 05, 2017