CVE Blog
The purpose of this blog is to establish a dialogue and get your input on issues and topics important to CVE. Right-click and copy a URL to share a post.
Please use our LinkedIn page, or the CVE Request Web Form by selecting “Other” from the dropdown, to comment on the post below.
What's your opinion on how Descriptions are used in CVE IDs?
Comment on LinkedIn | Share this post
Since its inception in 1999, the CVE Program has included IDs, references, and
descriptions in CVEs. Descriptions have primarily functioned as a method for the CVE Program to search CVEs, identify duplicates, and perform other similar functions.
We believe that other members of the community use Descriptions as well, but are unsure how they are used today or which parts of Descriptions are considered valuable.
The CVE Team invites you to contact us via our CVE Request Web Form (select “Other” from the dropdown) between now and November 17, 2016 to tell us about your experience using Descriptions. All feedback will be collected, aggregated, and posted on this page the week of November 28, 2016. Please let us know in your message if you do not want your feedback included in the publicly posted results.
Any and all feedback about Descriptions in CVE IDs is welcome, but in your response we ask that you please answer these three specific questions:
- Do you use or have a business need for Descriptions in CVE IDs as they exist today? If yes, can you explain the use or need? If not, would a CVE ID still be useful to you without the Description (i.e., an ID and one or more references)?
- Descriptions include information such as affected products and versions, affected components, attack types, attack vectors, and impact. Do you find all of this information equally valuable? If yes, what information is of most value and can you prioritize it? Is there any information that you would suggest CVE add or include when available (i.e., are Descriptions in CVE IDs missing anything)? Is there information included in a CVE Description that is not valuable to you? Why?
- What industry or community do you associate yourself with (e.g., government, vulnerability discloser, security product vendor, security product user, security industry, other)? This will help us identify how valuable descriptions are to CVE Program stakeholders.
We look forward to hearing from you!
- The CVE Team
November 4, 2016
CVE Request Web Form
(select “Other” from dropdown)
Recent Posts
- We Speak CVE Podcast: CVE Working Groups, What They Are and How They Improve CVE
- We Speak CVE Podcast: Managing Modernization and Automation Changes in the CVE Program
- Our CVE Story: Leading the Way for Vulnerability Disclosures in Physical Security Systems (guest author)
- We Speak CVE Podcast: How the New CVE Record Format Is a Game Changer
- Our CVE Story: JPCERT/CC (guest author)
- More >>
