[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[TECH] CVE content update

Here is a short update on CVE content.

Over the last half of 2002, we have been following a new process that
streamlines the generation of candidates for "important" issues.

1) More researchers and vendors (especially Linux vendors) are
   reserving candidate numbers from MITRE ahead of time.

2) MITRE is conducting more "out-of-band" (priority) assignment for
   issues that are not explicitly reserved, but satisfy some vague
   definition of "high priority," which generally covers (a) security
   advisories for a major product/OS, or (b) an important issue in a
   major product, even if it has not been acknowledged by the vendor.

3) The original submission refinement process, as documented heavily
   in various CVE papers including the one at
   http://cve.mitre.org/docs/docs2002/prog-rpt_06-02/ , has been split
   into two separate streams:

   - First pass - I perform both matching and refinement on incoming,
     recent submission lists, focusing on a list from a particular CVE
     source.  I concentrate primarily on "easy-to-create" issues as
     well as "moderately important" issues.  Complex issues might be
     deferred for deeper analysis.

   - Second pass - the rest of the CVE content team processes the
     submissions that are not removed from the first pass.  This may
     include more complex issues, but it also includes far more
     submissions that already match candidates from the First pass,
     although they may suggest additional references.  As CVE Editor,
     I still need to review and approve "second pass" refinements.

Due to several unexpected non-CVE emergencies over recent months, I
have fallen behind a little bit on First pass refinement.  CVE content
team members have been steadily creating candidates during Second pass
refinement, but they still need to be edited before being proposed.

However, I have steadily maintained the pace on steps 1 and 2
(reservation and out-of-band assignment), which means that the most
important issues are still being assigned CVE candidates within hours
or days.

Shortly, I will be proposing approximately 500 candidates, most of
them from steps 1 and 2 (i.e. already public), and the remainder from
first pass refinement.

I will then be creating a new CVE version.

Second pass refinements will generate another 500 candidates or so,
and those will be proposed within a month, after I have edited them.

The CVE content team is currently discussing additional improvements
to the refinement process.

Finally, the concept of "voting clusters" is becoming untenable as the
number of publicized issues increases, along with our own process
modifications.  I will be examining alternate ways of proposing
candidates to Board members and/or supporting alternate methods of

- Steve

Page Last Updated or Reviewed: May 22, 2007