[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE ID Syntax - Seeking Suggestions for Outreach

This doesnt need to be hard.  Hitting a variety of communication avenues
as others have recommended makes sense.   Even simple things like a
paragraph or two sent to slashdot and other blog-like security sites will
help get the word out.  A key message needs to be WHEN the transition is
going to hit ME.   When do I absolutely have to be ready?   If we are
vague on that date, nobody will pay attention.

Secondly, we can only control what we can control.  There will be some
services and product vendors that will not pay attention, will be late, or
will prioritize other enhancements in their products.  We can only
communicate to them that they WILL break when this change happens and hope
that they choose to cooperate.  The milk will be spilled.  Most players
will prepare and it will be OK.

Keep up the great work!


Lightspeed-Produce, Protect, Perform (LP3)
pager 703-397-1919

On 4/2/14, 8:01 AM, "Steven M. Christey" <coley@mitre.org> wrote:

>In recent months, MITRE has been working on public communications for
>the CVE ID syntax change.  We would like suggestions from the
>Editorial Board about how to further expand our outreach and educate
>the public.
>1) We published more detailed technical guidance for implementers to
>    find and address issues related to the syntax change:
>        http://cve.mitre.org/cve/identifiers/tech-guidance.html
>    This page includes some extensive testing data so that
>    implementations can have confidence that they have sufficiently
>    addressed the ID syntax.  For example, we have lists of dozens of
>    valid identifiers that could indicate parsing issues (such as
>    CVE-2014-2147483648 for triggering 32-bit representation problems),
>    and hundreds of invalid identifiers, some of which were drawn
>    directly from real-world requests to the CVE web site.
>2) We have also been gathering contact information for CVE-compatible
>    vendors, and we expect to email them shortly.  However, it's likely
>    that many of our contacts are from the marketing side of the
>    organization, so we might not always reach the right technical
>    people.
>3) We continue to periodically remind the public of the syntax change
>    through the cve-announce mailing list, Twitter, and LinkedIn.
>4) We have been making syntax-related code changes to our own web
>    sites and internal processes.  For example,
>    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-1012 now
>    provides a custom page that educates consumers about potential
>    truncation problems and the ID protection block, and
>    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-a1012
>    provides more specific error messages when CVE IDs are malformed.
>5) We have mentioned or focused on the syntax in talks that we've
>    given, especially in the last year, and will continue to do so.  We
>    are also considering offering a webinar.
>Despite these efforts, there are indications that we are not reaching
>everybody who needs to handle the change, especially the developers of
>CVE-compatible or CVE-using products.
>There also seems to be little press interest, as the syntax change is
>probably regarded as "old news."
>We would like suggestions from the Board about how we can reach the
>right people.
>For example:
>* Are there Board members who are willing to announce the change
>   and/or post educational material to their customer base?  If so,
>   what form would be the most useful - PowerPoint slides, a web page,
>   newsletter, webinar, etc.?
>* Would it be effective for us to encourage implementers to announce
>   when they have achieved "compliance" with the new syntax, and then
>   publicize these vendors?  Would this be useful in fostering some
>   competiveness to drive organizations to a resolution?
>* Are there ways that we can help customers to directly engage with
>   their vendors to ensure that the issues are addressed?  We have not
>   yet directly emphasized customers in our outreach, but they might be
>   the most effective in contacting the right people within the vendors
>   and getting resolution.
>Any other ideas or suggestions are welcome and encouraged!
>If there is sufficient interest or need, we could have another
>Editorial Board teleconference that is focused on this topic.
>Thank you!
>- Steve

Page Last Updated or Reviewed: October 03, 2014