[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Automated testing and CVE IDs; Board meeting at RSA 2015

Automated Testing and CVE IDs

MITRE was recently asked to assign CVE IDs to issues uncovered by the 
use of automated software testing tools. In the past, we have received
requests for CVE IDs for issues uncovered by fuzzing techniques, but we
have (to date) declined to do so. 

Some of our reasons for not assigning these requested IDs include:
  - CVE, by definition, is not a canonical list of all known vulnerabilities
     and is restricted in its coverage.
  - The software products being tested are not on the "Products" list
      agreed to with the Board
  - The results, while indicating possible security issues, do not define 
     vulnerabilities that could realistically exploited.

Recognizing that the interests of the Board and the community are
dynamic, we want to raise the issue to the Board for discussion and
possible review of our coverage list (which is overdue for review).

We will follow this email with the specific details of the most recent 
request for the information of those who are interested, and will 
pose specific questions to the Board regarding CVE coverage of results
achieved through automated testing and similar techniques.

CVE Editorial Board Meeting at RSA 2015 (USA)

MITRE is planning to raise several items for discussion among the Board
over the next few months. Some topics include:

  - Rules, guidance, and conditions for addition or removal of CNAs

  - Rules, guidance, and conditions for addition or removal of Editorial 
     Board members

  - A review of the current "Sources and Products" list

  - The strategic plan and direction for CVE

Please let us know which of the above topics are your highest priority
or priorities so we can focus our efforts.

Please also let us know if you plan to attend RSA 2015 in San Francisco so
we can begin planning for meeting space and support. We will, of course,
have a phone bridge so people can dial in to the meeting. Our current
plan is to have a formal Board meeting, restricted to Board members only,
and an informal informational BoF or similar that will be open to the public.

Your responses to the above are actively solicited. We do not ever want
to be in the position of moving forward on items that are not clearly aligned
with the wishes of the majority of the CVE Editorial Board membership.

Best Regards,
Steve Boyle
CVE Project Leader

Page Last Updated or Reviewed: October 30, 2015