[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVEPRI] CVE Progress Update


This list has been very quiet lately, but that will change shortly.

In the last year, we have been focusing on reservation and prioritized
creation of new CVE candidates.  There has been heavy adoption of CVE
reservation by the Linux community, as well as most major researchers.
We now reserve candidates on an almost daily basis.

In the past fiscal year, we received an increase in funding from our
sponsor, the Department of Homeland Security (which is the new home of
FedCIRC/US-CERT, which was our previous sponsor when it was part of
the General Services Administration).  We have been able to increase
the staffing levels for the CVE content team, and to slowly-but-surely
transition additional responsibilities to those team members.  In some
important ways, CVE content generation had not evolved from the
"one-person project" that it once was.  We have been working hard on
fixing that, so that the workload is distributed more.

As a result of the additional funding and our process changes, we now
have a dedicated staff member who is concentrating on the timely
assignment of candidates to new issues, especially those that are
posted to Bugtraq.  The specific mechanics of this process are still
being ironed out somewhat, but I expect that we will be creating (and
proposing) 40 or more candidates every week.  Some of you will recall
that we attempted to do this a couple years ago, but unfortunately
that member was not able to keep up with the onslaught of new bugs.
However, I am quite confident in the abilities of one of our more
recent members, Jen Schommer, in accomplishing this task.

I am still heavily involved in candidate reservation, same-day
assignment of candidates to important issues, coordinating the content
team activities, and generating additional content when I can.

Other content team members concentrate on "downstream processing,"
which involves the submission creation, matching, and refinement
phases as we have described in the past, and which are documented in
various papers on the CVE web site.  Based on what I have seen in our
past "triage" efforts, downstream processing will handle most
"stragglers" - vulnerabilities in obscure products, and/or
vulnerabilities that did not receive wide attention by the entire
security community.  Our newest hire, Charles Schmidt, is the main
person who is involved in downstream processing.

We will address older issues as time allows.

We have not been concentrating on just candidate generation, however.
In the past 6 months, we have also developed procedures for evaluating
the accuracy and completeness of CVE mappings of products that wish to
be certified as CVE-compatible.  We recently completed the first round
of mapping evaluations, and we gave out the first awards at the recent
RSA conference.  We have some to make some improvements in efficiency
for our mapping evaluation process, but there is already a set of new
products waiting in the wings for the next round of evaluation.  Our
veteran content team member, Barbara Pease, will be leading the
mapping evaluation efforts, while another recent addition, Tim
Bergendahl, will also support this task.  They will also contribute to
CVE content generation when feasible.

Bob Martin, our CVE compatibility lead, will send a separate email
with a progress report on CVE compatibility.

We have two other major activities planned for the near term:

  - A new CVE version within a month

  - Making changes in Editorial Board membership, by adding new
    members, and saying goodbye to some old members

After the Editorial Board membership changes, we will plan an
Editorial Board meeting.

We hope to conduct a number of other activities and make additional
improvements over the coming year.  For example, we are figuring out
how to work more closely with other DHS-sponsored efforts such as
OVAL, ICAT, and US-CERT's vulnerability notes.  We also anticipate a
one-time change to the CVE naming scheme in January 2005.

It's now been a little over 5 years since Dave Mann and I first
proposed the CVE concept at Purdue's Workshop on Security
Vulnerability Databases in January 1999.  As we look back on what we
have accomplished (and what we still must do), we are grateful for all
the support from the Editorial Board and the security community at
large.  We are starting to see some large-scale benefits of CVE that
we had originally visualized all that time ago.  Thanks to everyone on
the Editorial Board, and we look forward to an invigorating 2004.


Page Last Updated or Reviewed: May 22, 2007