[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE and NVD WAS: Counting on CVEs

>From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-
>editorial-board-list@lists.mitre.org] On Behalf Of security curmudgeon
>NVD needs to go away. Completely. The money they receive from NIST should
>be re-assigned to CVE. Hell, the existing contract could stay in place so
>very little is actually changed. For those not aware, NVD outsources the
>CVSS scoring to Booze-Allen junior analysts. The only real value NVD
>brings to the table, that so many rely on them for, is CVSS scoring.
>Having those same analysts report to MITRE instead of NIST would eliminate
>another issue many in the industry have, that being the extra day or three
>delay between CVE assignment and CVSS scoring. If CVE had those analysts,
>they could get a score affiliated with a CVE assignment that much quicker,
>not have to go through the daily push of data to NVD who then pushes it on
>to BA.

Two things on this.

First, just my opinion, but I think combining CVE and NVD would be very bad for CVE.

CVE operates much further upstream in the vulnerability life-cycle than NVD does, as we should expect. The core CVE analytical work is assignment of IDs at a reasonably consistent level.  We need to do this as fast as we can while maintaining enough quality in our descriptions to keep the system searchable.

The analytical work done on NVD is related, but different.  They focus more on affected platforms and CVSS scoring.  This is really a second phase of analytical work and trying to do that concurrently with CVE analysis would only serve to slow down CVE publication - and dramatically so. 

>Again, its the government, two agencies and two contractors that...

A small point of clarification that's worth mentioning whenever it comes up...

The MITRE Corporation is a not-for-profit organization chartered to work in the public interest. In this capacity, MITRE operates several Federally Funded Research and Development Centers for the US Government.  FFRDCs are neither government nor competitive commercial companies.   The term "contractor" typically refers to for-profit commercial companies. Contractors and commercial vendors are critically important to the security community, but it is useful to distinguish between FFRDCs and "contractors".  

David Mann | Principal Infosec Scientist | The MITRE Corporation
e-mail:damann@mitre.org | cell:781.424.6003

Page Last Updated or Reviewed: November 06, 2012