[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax - Seeking Suggestions for Outreach

On 2014-04-02, 13:15 , Williams, James K wrote:

> * Post to BugTraq and Full-Disclosure mailing lists.
> * Ask Secunia, PacketStorm, NIST, CERT, DoD, etc to make special announcements on their sites.
> * Promote at DEFCON and Blackhat.

CERT (CERT/CC) can send mail to our vendor contacts and post on our web
site, probably a blog entry.  We can talk to US-CERT about something on
their web site too.

> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Steven M. Christey

> There also seems to be little press interest, as the syntax change is
> probably regarded as "old news."

The news story, unfortunately, would be that CVE is not working, despite
CVE's best efforts.

> * Are there Board members who are willing to announce the change
>    and/or post educational material to their customer base?  If so,
>    what form would be the most useful - PowerPoint slides, a web page,
>    newsletter, webinar, etc.?

The ability to reference authoritative material from CVE/MITRE is
important, and I think already well covered here:



CERT/CC's announcements would basically point to these references.

> * Would it be effective for us to encourage implementers to announce
>    when they have achieved "compliance" with the new syntax, and then
>    publicize these vendors?  Would this be useful in fostering some
>    competiveness to drive organizations to a resolution?

Or document new syntax errors if/when they occur?  As examples for
others to avoid.

> * Are there ways that we can help customers to directly engage with
>    their vendors to ensure that the issues are addressed?  We have not
>    yet directly emphasized customers in our outreach, but they might be
>    the most effective in contacting the right people within the vendors
>    and getting resolution.

Publish a few test IDs using the new syntax and see what breaks?

Is CVE on track to need the new syntax in 2014?  Without
motivation/reason to change, I'd expect continued inertia.


 - Art

Page Last Updated or Reviewed: October 03, 2014