[CVEPRI] Challenge to Reach 1000 CVE Entries by October 16
As has been discussed in various Board meetings and teleconferences,
the Board has been challenged to expand CVE to 1000 entries by
Unfortunately, it is not likely that this goal will be achieved by the
end of September. Board members have not been using the voting web as
much as we had hoped, and due to internal delays related to creating
the web site in the first place, it has not been possible to focus on
the CVE-1000 until now. It was also expected that a series of legacy
candidates would also be ready, but the CVE content team has not
finished the submission refinement yet (although matching is complete
for all 1999 problems).
We are still planning on promoting this milestone at various
conferences in late October, namely SANS and NISSC. We will have CVE
booths at both locations and will be offering "souvenirs" of that
So we have a new *hard* deadline for CVE entries - October 16. Since
CVE is only presently at 815 entries, we run a significant risk of not
achieving this milestone in time. However, with enough active
participation by enough Board members, we can reach this goal - just
like we did in September last year!
Following is the plan for accomplishing this goal:
0) The Board voting web site has already been put in place so that all
Board members can vote more quickly and easily. We did this
earlier so that it would be easier for Board members to help reach
the 1000. With the custom pages on the voting web site, each
member is able to quickly see which items they haven't voted on,
which items are the highest priority, etc.
Email-based confirmation of votes from the web site will begin this
1) There are about 100 candidates that just need 1 more vote. They
will be made available in ad hoc clusters on the voting web site,
and proposed to the Board. Please actively review and vote on
2) More than 100 new candidates will be proposed on Wednesday.
3) Vendor liaisons to the Editorial Board, whether formal or informal,
will be identified and consulted in cases where there is not clear
vendor acknowledgement. (CMEX statistics show that about 50% of
the candidates don't have acknowledgement.) This in turn will
provide some Board members with additional confidence to ACCEPT an
entry, instead of performing a NOOP. Given the amount of time that
vendor consultation will take, however, this approach may not
produce many results in the short term.
4) With the new precedent-based approach to CD's as outlined in a
previous email, older candidates will become available for
acceptance as precedents are set. I will be conducting a review of
those candidates and annotating them with the appropriate analysis.
5) Final modifications will be made to CD:VOTE, and an Interim
Decision will be posted to the mailing list. Since this has been
discussed extensively in previous Board meetings and summaries, it
is not necessary to hold a vote on this CD. The main effect of
this will be to allow MITRE's other Board members (Bill Hill and
Dave Baker) to vote if the rest of the Board is not able to fully
meet the challenge itself within the time constraints.
6) Each Board member who contributed their database during this summer
will also receive a custom ballot based on the backmaps to existing
CVE candidates. These backmaps still need to be generated,
however, so those custom ballots will not be available for another
week or so.