[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] Request for CVE submissions - "Top 100" and "Last 6 months"


To meet the challenge of 500 CVE entries by Y2K, I requested that
Board members prepare their "top 100" vulnerabilities or exposures
that haven't yet made it to CVE.  The next email will describe the
format that you can use to submit this information.

The original challenge is at http://cve.mitre.org/archives/msg00490.html

In addition, we have a unique opportunity to see how fragmented our
knowledge is "before CVE" by seeing what vulnerability databases have
for problems discovered in the last six months.

Many vulnerability databases have a "date discovered" field which
provides information on when a vulnerability/exposure was first
discovered.  If a number of Board members could use their databases to
send me their list of problems that were discovered in the last six
months - since April 29, the date of the draft CVE - then this will
enable us to do a number of things:

1) Generate CVE candidates for all publicly known vulnerabilities or
   exposures in the last 6 months, producing a "master" Six Month
   List.  (Only a handful of candidates have been assigned that are
   more recent than the draft CVE).

2) We could then get some *real* community-wide metrics, e.g. how many
   problems really were discovered in that period.  (Any predictions?
   I say about 270).

3) CVE-compatible databases could map to the Six Month List and
   thereby identify their own gaps, a la the Interoperability Demo,
   but on a much larger scale.

4) The Six Month List could provide some fertile ground for academic
   research and other follow-on activities.

With a number of Board members providing their Top 100 list and/or Six
Month list, we could have CVE reflect the most important remaining
issues, as well as the most recent.

I look forward to the new submissions.

- Steve

Page Last Updated or Reviewed: May 22, 2007