[CVEPRI] Challenge to Reach 1000 CVE Entries by October 16

["Steven M. Christey" <coley@linus.mitre.org>]

All:

As has been discussed in various Board meetings and teleconferences,
the Board has been challenged to expand CVE to 1000 entries by
September.

Unfortunately, it is not likely that this goal will be achieved by the
end of September.  Board members have not been using the voting web as
much as we had hoped, and due to internal delays related to creating
the web site in the first place, it has not been possible to focus on
the CVE-1000 until now.  It was also expected that a series of legacy
candidates would also be ready, but the CVE content team has not
finished the submission refinement yet (although matching is complete
for all 1999 problems).

We are still planning on promoting this milestone at various
conferences in late October, namely SANS and NISSC.  We will have CVE
booths at both locations and will be offering "souvenirs" of that
accomplishment.

So we have a new *hard* deadline for CVE entries - October 16.  Since
CVE is only presently at 815 entries, we run a significant risk of not
achieving this milestone in time.  However, with enough active
participation by enough Board members, we can reach this goal - just
like we did in September last year!

Following is the plan for accomplishing this goal:

0) The Board voting web site has already been put in place so that all
   Board members can vote more quickly and easily.  We did this
   earlier so that it would be easier for Board members to help reach
   the 1000.  With the custom pages on the voting web site, each
   member is able to quickly see which items they haven't voted on,
   which items are the highest priority, etc.

   Email-based confirmation of votes from the web site will begin this
   week.

1) There are about 100 candidates that just need 1 more vote.  They
   will be made available in ad hoc clusters on the voting web site,
   and proposed to the Board.  Please actively review and vote on
   these candidates.

2) More than 100 new candidates will be proposed on Wednesday.

3) Vendor liaisons to the Editorial Board, whether formal or informal,
   will be identified and consulted in cases where there is not clear
   vendor acknowledgement.  (CMEX statistics show that about 50% of
   the candidates don't have acknowledgement.)  This in turn will
   provide some Board members with additional confidence to ACCEPT an
   entry, instead of performing a NOOP.  Given the amount of time that
   vendor consultation will take, however, this approach may not
   produce many results in the short term.

4) With the new precedent-based approach to CD's as outlined in a
   previous email, older candidates will become available for
   acceptance as precedents are set.  I will be conducting a review of
   those candidates and annotating them with the appropriate analysis.

5) Final modifications will be made to CD:VOTE, and an Interim
   Decision will be posted to the mailing list.  Since this has been
   discussed extensively in previous Board meetings and summaries, it
   is not necessary to hold a vote on this CD.  The main effect of
   this will be to allow MITRE's other Board members (Bill Hill and
   Dave Baker) to vote if the rest of the Board is not able to fully
   meet the challenge itself within the time constraints.

6) Each Board member who contributed their database during this summer
   will also receive a custom ballot based on the backmaps to existing
   CVE candidates.  These backmaps still need to be generated,
   however, so those custom ballots will not be available for another
   week or so.


- Steve