[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Methods for validating the current CVE



Dave,

My team has specifically asked if MITRE has already completed (or done some
work) on the mappings. I think they'd like some idea as to what work has
already been done, as opposed to just starting with CVEs and descriptions.

I know you or Steve have mentioned that there are still some issue to be
solved in the mappings. I might also be speaking for other participating
vendors in saying that I'd only need mappings from my VDB to the CVE, and
not those from other vendors (a nice to have, but definitely not a
showstopper).

Please advise on whether at least a partial mapping could be generated, and
if so, we could get started on verifying those.

Andre

> -----Original Message-----
> From: Dave Mann [mailto:damann@mitre.org]
> Sent: Thursday, May 13, 1999 4:33 PM
> To: Steven M. Christey
> Cc: cve-review@linus.mitre.org
> Subject: Re: Methods for validating the current CVE
>
>
> How about we cull out the "safe" canidates first and then
> send that trimmed down list for verification. Non-MITRE folks,
> do you think you could give faster turn around on a short list
> who's entries map 1-1 to elements in the common tools? Vendors,
> would it be helpful to get our opinion on the mappings? [many
> thorny issues here]
>
> Thus, the approach would be to get fast opinions on what we
> can get agreement on quickly. Then turn to the more contentious
> entries.
>
> Opinions?
>
> Dave
>
> "Steven M. Christey" wrote:
> >
> > All:
> >
> > I like Russ' idea of reviewing the current CVE entries in the mailing
> > list, but there really is an awfully large number to deal with.
> > However, I think there are lots of entries where there should be no
> > (or little) debate.  We may be able to quickly agree on a relatively
> > large percentage of the current entries.  Still, 8 per day for a month
> > only covers about 35% of the vulnerabilities.
> >
> > I believe there are probably about 50 to 100 entries that could be
> > "hot topics" or require some degree of change.  I could create a
> > default form and post a few "controversial candidates" per day to the
> > list.  What do people think?
> >
> > - Steve
>
> --
>
>
>
> =========================================================
> David Mann                     ||  phone: (781) 271 - 2252
> INFOSEC Engineer/Scientist, Sr ||
> Enterprise Security Solutions  ||    fax: (781) 271 - 3957
> The MITRE Corporation          ||
> Bedford, Mass 01730            || e-mail: damann@mitre.org
>
>

Page Last Updated or Reviewed: May 22, 2007