[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE ID Syntax - Seeking Suggestions for Outreach

NIST can put out announcements on the NVD as well as on the relevant mailing lists we have. We will need to send out an announcement in the near future anyway regarding updates to some of the schemas we maintain in order to update the regular expressions for the CVE ID so perhaps we can couple the two announcements together. In addition we could produce output of our own data feeds that match the test data provided by MITRE.

I agree with the other suggestions that once we get "close"* to the need to issue a CVE ID under the new format that a further round of outreach should be engaged into.

* close is yet to be defined, perhaps a month or two to give any stragglers a chance to implement?

Regards,

-Harold

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of Art Manion
Sent: Wednesday, April 02, 2014 2:32 PM
To: cve-editorial-board-list (cve-editorial-board-list@lists.mitre.org)
Subject: Re: CVE ID Syntax - Seeking Suggestions for Outreach

On 2014-04-02, 13:15 , Williams, James K wrote:

> * Post to BugTraq and Full-Disclosure mailing lists.
> * Ask Secunia, PacketStorm, NIST, CERT, DoD, etc to make special announcements on their sites.
> * Promote at DEFCON and Blackhat.

CERT (CERT/CC) can send mail to our vendor contacts and post on our web site, probably a blog entry.  We can talk to US-CERT about something on their web site too.

> -----Original Message-----
> From: owner-cve-editorial-board-list@lists.mitre.org 
> [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of 
> Steven M. Christey

> There also seems to be little press interest, as the syntax change is 
> probably regarded as "old news."

The news story, unfortunately, would be that CVE is not working, despite CVE's best efforts.

> * Are there Board members who are willing to announce the change
>    and/or post educational material to their customer base?  If so,
>    what form would be the most useful - PowerPoint slides, a web page,
>    newsletter, webinar, etc.?

The ability to reference authoritative material from CVE/MITRE is important, and I think already well covered here:

  http://cve.mitre.org/cve/identifiers/syntaxchange.html

  http://cve.mitre.org/cve/identifiers/tech-guidance.html

CERT/CC's announcements would basically point to these references.

> * Would it be effective for us to encourage implementers to announce
>    when they have achieved "compliance" with the new syntax, and then
>    publicize these vendors?  Would this be useful in fostering some
>    competiveness to drive organizations to a resolution?

Or document new syntax errors if/when they occur?  As examples for others to avoid.

> * Are there ways that we can help customers to directly engage with
>    their vendors to ensure that the issues are addressed?  We have not
>    yet directly emphasized customers in our outreach, but they might be
>    the most effective in contacting the right people within the vendors
>    and getting resolution.

Publish a few test IDs using the new syntax and see what breaks?

Is CVE on track to need the new syntax in 2014?  Without motivation/reason to change, I'd expect continued inertia.


Regards,


 - Art
Page Last Updated or Reviewed: October 03, 2014