[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: CVE ID Syntax - Seeking Suggestions for Outreach
- To: "cve-editorial-board-list (cve-editorial-board-list@lists.mitre.org)"<cve-editorial-board-list@LISTS.MITRE.ORG>
- Subject: Re: CVE ID Syntax - Seeking Suggestions for Outreach
- From: Art Manion <amanion@cert.org>
- Date: Wed, 2 Apr 2014 14:31:43 -0400
- Delivery-Date: Wed Apr 2 14:30:54 2014
- In-Reply-To: <ED311CBEE6993C428563DEDF6D083BC870A6AF9A@usilms113b.ca.com>
- List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
- List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
- List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
- List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
- OpenPGP: id=36C268A3
- References: <ED311CBEE6993C428563DEDF6D083BC870A6AF9A@usilms113b.ca.com>
- Sender: <owner-cve-editorial-board-list@LISTS.MITRE.ORG>
- User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.3.0
On 2014-04-02, 13:15 , Williams, James K wrote: > * Post to BugTraq and Full-Disclosure mailing lists. > * Ask Secunia, PacketStorm, NIST, CERT, DoD, etc to make special announcements on their sites. > * Promote at DEFCON and Blackhat. CERT (CERT/CC) can send mail to our vendor contacts and post on our web site, probably a blog entry. We can talk to US-CERT about something on their web site too. > -----Original Message----- > From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Steven M. Christey > There also seems to be little press interest, as the syntax change is > probably regarded as "old news." The news story, unfortunately, would be that CVE is not working, despite CVE's best efforts. > * Are there Board members who are willing to announce the change > and/or post educational material to their customer base? If so, > what form would be the most useful - PowerPoint slides, a web page, > newsletter, webinar, etc.? The ability to reference authoritative material from CVE/MITRE is important, and I think already well covered here: http://cve.mitre.org/cve/identifiers/syntaxchange.html http://cve.mitre.org/cve/identifiers/tech-guidance.html CERT/CC's announcements would basically point to these references. > * Would it be effective for us to encourage implementers to announce > when they have achieved "compliance" with the new syntax, and then > publicize these vendors? Would this be useful in fostering some > competiveness to drive organizations to a resolution? Or document new syntax errors if/when they occur? As examples for others to avoid. > * Are there ways that we can help customers to directly engage with > their vendors to ensure that the issues are addressed? We have not > yet directly emphasized customers in our outreach, but they might be > the most effective in contacting the right people within the vendors > and getting resolution. Publish a few test IDs using the new syntax and see what breaks? Is CVE on track to need the new syntax in 2014? Without motivation/reason to change, I'd expect continued inertia. Regards, - Art
- Follow-Ups:
- RE: CVE ID Syntax - Seeking Suggestions for Outreach
- From: "Booth, Harold" <harold.booth@nist.gov>
- RE: CVE ID Syntax - Seeking Suggestions for Outreach
- References:
- RE: CVE ID Syntax - Seeking Suggestions for Outreach
- From: "Williams, James K" <Ken.Williams@ca.com>
- RE: CVE ID Syntax - Seeking Suggestions for Outreach
- Prev by Date: RE: CVE ID Syntax - Seeking Suggestions for Outreach
- Next by Date: Re: CVE ID Syntax - Seeking Suggestions for Outreach
- Prev by thread: RE: CVE ID Syntax - Seeking Suggestions for Outreach
- Next by thread: RE: CVE ID Syntax - Seeking Suggestions for Outreach
- Index(es):
