[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax - Seeking Suggestions for Outreach


Thanks so much for all the ideas!  Keep 'em coming :)

Adam Shostack mentioned the possibility of putting out a new-syntax ID 
early in order to trigger toolchain issues and force a speedier 
resolution.  I believe that if we do this too soon, we could break too 
many toolchains that are not ready.

I believe we need to balance the risk of breaking toolchains (which
will happen no matter how extensive our outreach) with giving vendors
enough time to try to address the problems.  For example, as Harold
Booth has already alluded to, NVD-related schema contains a regular
expression with a 4-digit assumption.  When we put in *any* new-syntax
ID into the stream, that could cause XML validation errors that could
completely stop an entire feed from being processed.  I believe there
are probably many other examples like this, where the presence of a
single bad ID can stop an entire data stream, instead of just a couple
records - we simply don't have visibility into all the implications.
The possibility for cascading failures seems high.

But, I believe there are some benefits to a timed, predictable release
of a new-syntax ID.  My thinking has been that near the end of this
year (or early 2015), if CVE hasn't reached 10K IDs yet, we could give
the public some warning, then issue some legitimate 5-digit CVEs that
trigger truncation or other toolchain issues.

Alternately, if it looks like we might reach 10K (which is too soon to 
tell), we could release a new-syntax ID a couple weeks or months before we 
completely run out of 4-digit IDs.  In the meantime, the CVE test data is 
still available, although it's only in the CVE web site's formats. 
Harold, I like your suggestion to package up the CVE test data in NVD 
format, since many CVE-compatible vendors and downstream consumers 
probably get their CVE information from NVD, not cve.mitre.org.

TK asked "how will we know if we have succeeded?"  That's a difficult
question.  If a toolchain breaks, we won't necessarily hear about it,
especially for bespoke/in-house toolchains.  Maybe we want to focus on
whether the right people have heard the message; we can't really
control whether (and how) everybody will address the problem.

Some Board members have been supportive of the idea to have vendors
announce their compliance.  We could possibly measure success if, say,
we reach a certain number (or market share) of vendors and
capabilities who have announced their ability to handle the new

- Steve

Page Last Updated or Reviewed: October 03, 2014