[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Second round of discussion and voting for new CVE ID Syntax

We appreciate the attention and involvement of the Board in the ongoing discussion of the CVE ID Syntax change. Our next tasks are to converge on options and hold a second vote. After digesting the results of the vote and the discussions of the last couple of weeks, we would like to propose the following “way forward” for the Board’s review.


We suggest a second vote, considering only the following two options:


OPTION A': Year + 8 digits, padded with leading 0's

  Examples: CVE-2014-00000001, CVE-2014-00000999, CVE-2014-00001234,

                   CVE-2014-00009999, CVE-2014-00010000, CVE-2014-00123456,

                   CVE-2014-01234567, CVE-2014-12345678


Given the discussion and concerns about the length of the number field of Option A, we have chosen 8 digits as a compromise among the various field lengths suggested. We believe 8 digits is a reasonable compromise and addresses the positive and negative discussion points raised regarding various lengths. We recognize that 8 digits is not exactly what everyone suggested, but we are offering it for consideration as something proponents of the fixed-length option could live with.


OPTION B: Year + arbitrary digits, no leading 0's except IDs 1 to 999

  Examples: CVE-2014-0001, CVE-2014-0999, CVE-2014-1234,

    CVE-2014-9999, CVE-2014-10000, CVE-2014-54321, CVE-2014-99999,

    CVE-2014-100000, CVE-2014-123456, CVE-2014-999999, CVE-2014-1234567


Option B is unchanged from the original proposal and vote.


We realize that people will want to digest and possibly discuss these options. Again, we are looking to converge on two "votable" options so we can make a decision and move forward. One way to approach this could be for each voting member to consider the options as presented (with no further modifications), and decide if either is a choice you can "live with." None of this should in any way be read or understood as precluding or otherwise restricting comment and discussion, simply as a possible path to convergence.


For this round, we suggest a brief comment and discussion period with a slightly more restricted audience. We believe that an abbreviated comment period is appropriate since the topic has been an active, ongoing discussion on the Board list and that many well-thought out points, comments, and suggestions have been made. We do not feel it is necessary to open up comments to the general public as we did with the first round. We believe that anyone who is not on the Board mailing list but is interested in following the ID Syntax change discussion will have already subscribed to the public CVE-ID-Syntax-Discuss mailing list. If you wish to subscribe:


- Send email to listserv@lists.mitre.org

- In the body of the email, type:

        subscribe CVE-ID-SYNTAX-DISCUSS-LIST


If you wish to have your name included in your subscription, or if you have trouble subscribing using the above form, please use the alternate “Subscribe” line:

        subscribe CVE-ID-SYNTAX-DISCUSS-LIST <your name>

       … without the “<”and “>”


It should be noted that some Board members have already opted in to the CVE ID Syntax Discuss list; others may choose to do so if they want to see comments and discussion not posted to the Board mailing list. As an aside, we discussed and rejected the idea of auto-forwarding the CVE-ID-Syntax-Discuss list to the Board mailing list, reasoning that:

1)            We do not want to decide on your behalf what hits your inbox

2)            We archive Board discussions as part of the CVE web site and do not believe it is appropriate to extend what we archive


Finally, a suggestion was made earlier that in the event of a tie vote MITRE should break the tie. We would like feedback from the Board on this during the comment period. Regardless of whether the Board chooses to have MITRE break a possible tie, MITRE will vote very early in the voting period so other voting Board members know our preference.


We propose the following schedule:


- Wednesday, 1 May 2013, 12:01 AM - Discussion period opens to the CVE Editorial Board and CVE ID Syntax Discuss mailing lists

- Tuesday, 7 May 2013, 11:59 PM - Discussion period closes


- Wednesday, 8 May 2013, 12:01 AM - Second official voting period begins

- Wednesday, 22 May 2013, 11:59 PM - Second official voting period ends


All other rules and guidelines from the first voting period remain in place for the second round, such as the requirement to receive votes from a majority of the eligible voting members/organizations and the selection being made based on a simple majority of the votes cast. The rules for the vote will be reprised to this list prior to the voting period.


Please let us know your thoughts regarding the above proposal. Again, while we recognize the many legitimate and well-founded reasons for options other than the two now being offered, we need to quickly converge on the candidate options and make a selection while ensuring a fair, open, and thoughtful process.


Steve Boyle


Page Last Updated or Reviewed: October 03, 2014