[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] Recent and upcoming activities


It's been a while since you've heard from us, so I thought I'd give
you a brief summary of some of the major CVE activities.

1) We have almost completed a first pass in processing the legacy
   submissions that you provided to us about a year ago.
   Approximately 600 new candidates will be produced from this first
   pass.  Many submissions were related to configuration problems,
   which pose challenges for CVE in terms of level of abstraction (do
   we assign one candidate or 30?).  These will be researched by the
   content team in the second pass, then discussed with the Editorial
   Board, to determine the best way to handle such issues.  Other
   submissions have incomplete references or details, and we need to
   consult with the source to obtain the proper information.  These
   submissions and others will be processed in the second pass of
   legacy refinement.

2) More details on the legacy issues will be provided when I finish
   editing the results of the content team members who have helped to
   refine the legacy submissions.  After editing, candidate numbers
   will be assigned.  The candidates will be placed in clusters and
   proposed to the Board.  The CAN-1999-XXXX numbering scheme will be
   used for all issues discovered in 1999 and earlier.  For later
   issues, the year of initial announcement will be used (barring some
   rare exceptions related to rediscoveries of old issues).  This
   approach was generally advocated by the Board.  The particular
   choice is less critical now that it is likely that we will be
   changing the entire naming scheme altogether.

3) The creation of candidates for newly discovered security issues has
   suffered due to (a) my personal concentration on finishing the
   first round of legacy problems with others on the content team, and
   (b) the departure of content team member Ramsay Key for grad
   school.  We do have replacement members who are coming "up to
   speed."  In addition, the content team members who have been
   refining the legacy issues for the last six months will be able to
   dedicate more resources to keeping up with new issues - as will I.

4) Recently, we have been discussing the possibility of a face-to-face
   meeting sometime in September.  However, the timing does not seem
   quite right (both for us at MITRE as well as for some Board
   members), so we will delay the face-to-face.  However, we do expect
   to have a teleconference in September.

5) Sometime later this month, I expect to finalize the roles and
   responsibilities of the Board, as well as the process for adding
   new members.  Once that has happened, we will form the CIEL working
   group.  We believe that Brian Caswell, whom some of you may know
   from his work on Snort, will be one of the key MITRE personnel
   working on CIEL.

6) While it seems I keep saying this :-) we believe that we will be
   finishing the process and requirements for CVE compatibility in the
   next few months.  Bob Martin leads this task, but the bottleneck
   has been me, as I have needed to restructure the requirements.  I
   expect to be completing that work sometime in the next month or so.

7) Candidate Numbering Authorities (CNAs) have not been forgotten.

- Steve

Page Last Updated or Reviewed: May 22, 2007