[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE update free service


Some people may be wondering why MITRE is not providing such a
service.  There are a few reasons:

1) CERIAS actually tracks CVE changes at a greater level of detail
   than we do (we know when we make changes ;-) It would require some
   additional programming for us to provide such a capability.  I
   think we have higher priority tasks.

2) The need for these updates is becoming more pronounced due a
   combination of various factors: (a) the increasing number of
   candidates that are being reserved and then published, (b) the
   "time lag" that occurs between when a candidate is initially
   published, and when the candidates are proposed to the Board as
   part of a cluster, and (c) my desire to minimize the amount of
   content-related traffic to the Board, which means minimizing the
   number of clusters and trying to avoid more regular content

3) I do not think that MITRE could provide such a notification
   capability to a subset of people, e.g. the Editorial Board.  We
   would need to provide it to the public.  We already provide
   summaries of proposed candidates to the cve-data mailing list.  To
   extend the capability to daily notifications would enhance CVE to
   the point where people would be more likely to use CVE as a
   vulnerability notification service, which further "competes" with
   other services out there (many of which also happen to be major CVE
   sources).  Obviously the linkage between CVE, ICAT, and Cassandra
   blurs this line, but I don't think that CVE should necessarily be
   the original source.  In addition, the information is already
   available on the web site - people can write their own "change
   management" routines using information that's already on the web
   site (and the CVE web site logs indicate that some people already
   do this, besides CERIAS).

All that said, the primary cause of this growing need is due to the
time lags, which we are working to resolve, as will be proven in the
next set of candidate clusters to appear in a mailing list near you
within the next few days ;-) In the longer term we recognize that some
people (especially database maintainers) may prefer to obtain detailed
CVE change logs from the source, but it is a fairly low priority at
this time, and we will have to consider ways of providing the
information without supplanting existing notification services.

- Steve

Page Last Updated or Reviewed: May 22, 2007