[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Mid-August Deadline for CVE Review?


We need to discuss timing issues dealing with the review 
of CVE content.  The big issue here is the setting of a 
hard and fast release date for the CVE, which will in turn
drive decisions about the review of the initial content.

One of the big pieces of feedback that we got from
everybody at the SANS meeting was that we only have
one shot to introduce the CVE as a new thing and that
we need to do the introduction right. We have taken
your advice to heart and we believe that timing is
critical.  On the one hand, we need to provide you,
the Editorial Board, a reasonable amount of time to
digest the initial content of the CVE. Also we believe
that a public release will generate more attention
after the vacation season has passed.  On the other
hand, if we prolong the release too long, we run the
risk of the CVE effort languishing in the mud, so to

At SANS, we proposed a mid to late June release date.
In an attempt to balance these 2 pressures, we are
going to shoot for a release date sometime in September
with a possible public announcement to be made at a 
conference in October.  In order to make a September release
date, we will need to have all feedback on CVE content
issues (excluding the steady stream of new vulnerabilities)
resolved by mid to late August.  This will give us just 
2 months to complete the technical review of some 650 

Shortly, Steve will be put out a more detailed announcement
detailing our proposed schedule for moving the CVE entries 
out for review.  My personal observation about this is 
that we clearly need to treat the review of the initial 
CVE content differently than what will become the ongoing 
review of new CVE entries.  In a word, it will have to 
happen faster.

One idea we are considering in order to facilitate faster
review is to press ahead with a very aggressive review 
schedule. The purpose of this initial review will be to
identify vulnerabilities that we find broad agreement on.
For those that we can not find *fast* agreement, we 
propose that MITRE host a 1 or 2 day meeting in mid August.
The purpose of this meeting will be to hammer out agreement
on the remaining vulnerabilities. [Thanks to Adam Shostack
for suggesting this to us.]

So 2 direct question for you:

1) Are there any major objections to a mid to late
   August deadline for the initial CVE content review?
   If so, should the date be moved forward or back and 

2) Would you be open to attending a workshop here at
   MITRE in the mid to late August time frame to deal with 
   unresolved content decisions?


David Mann                     ||  phone: (781) 271 - 2252
INFOSEC Engineer/Scientist, Sr || 
Enterprise Security Solutions  ||    fax: (781) 271 - 3957
The MITRE Corporation          ||
Bedford, Mass 01730            || e-mail: damann@mitre.org

Page Last Updated or Reviewed: May 22, 2007