Re: Upcoming changes for CVE

Board members and other readers of this list,

 

We would like to take this opportunity to notify the Editorial Board and the community of changes that are coming for CVE.

 

We recognize that there is deep frustration with some aspects of CVE, and that there are areas in need of updating after 16 years of continuous operation. We have been working on a number of things to improve our internal processes and workflow and will start to make visible changes to CVE in the coming weeks and months.

 

The operation and use of CVE has significantly evolved in the last 16 years.  While CVE has served the community very well, its current operating model is proving to be unable to keep up with the breadth and volume of CVE requests and subsequent production of final CVE entries.

 

Our intent is to be heavily engaged with the CVE community and users, now and even more so in the future, and to be completely transparent about what we are doing and why. If you believe at any time that we are not meeting those goals, we respectfully request your engagement and feedback telling us where we are falling short so that we can better understand the needs and requirements of the community.

 

 

CVE Editorial Board

-----------------------

The CVE Editorial Board was created to define and shape CVE, even before CVE first went public. The Board’s operating model and framework have evolved significantly in the years since as the community and requirements have evolved. Today, the community is more dynamic than it was even just a few years ago, and the Board model is in need of a refresh. To that end, Julie Connolly, a new member of the MITRE CVE Team, is taking on the role of liaison from MITRE to the Board.

 

Julie will be putting out an email that will outline what we believe are the objectives for a Board refresh, including responsibilities, membership, and a number of other aspects that have been discussed. Julie will provide more details in her email, and we hope the Board will be very engaged as we seek your suggestions, feedback and comments to help us refresh, shape and formalize a number of aspects of the Editorial Board and its operation.

 

 

CVE Numbering Authorities (CNAs)

-------------------------------------------

The CVE CNAs are another aspect of CVE that was instantiated years ago, and have proven valuable to the operation of CVE. As with the Board, the operation of and requirements on CNAs have evolved significantly and need to be updated. In particular, as the volume of requests for CVE IDs continues to increase, the need for, definition of the role, and the successful operation of CNAs becomes even more critical to CVE and the community. Tiffany Bergeron of the MITRE CVE Team is taking the lead for CNAs, and will be emailing this list to describe requirements and objectives for CNAs and to solicit suggestions, feedback and comments from the Board.

 

Tiffany will be engaging with the Board, and will email to described the objectives and plans for updating multiple aspects of the CNA relationship and functioning. Our aim is to improve both sides of the operation and reliability of CNAs, to have CNAs evolve to take on a larger role in the creation of CVEs, and to ultimately expand the number of CNAs.

 

 

CVE Assignment (CVE ID Requests)

------------------------------------------

No single aspect of CVE has been more problematic or engendered more frustration for both the community and for CVE than the process of requesting and assigning CVE IDs for newly discovered vulnerabilities. We will begin to implement changes in the next few days that will result in reasonable response times and process improvements, and to put in place new feedback mechanisms for requesters. We will be providing documented guidelines for requesting CVE IDs, including required elements and criteria. Because of the increasing volume of requests, we are planning to push more responsibility for well-constructed and informational requests back onto the requesters, rather than provide individual, educational responses as we sometimes have in the past. We will, of course, always be available to help researchers and disclosers understand what goes into a “good” CVE request, and we will be providing documentation to help both first-time and experienced requesters. Steve Boyle is taking responsibility for this area and will be following up with changes and plans. We are actively seeking additional comments, suggestions and feedback from the community to help us shape the process, feedback and utility of CVE ID requests.

 

 

Moving Forward

--------------------

MITRE has never, and will never, presume that “we know best” for CVE and its use within the community. The original operating principle of being guided by the Board remains as important as it ever has been in the history of CVE. For our part, we will be working to actively demonstrate more engagement and transparency with the Board and with the community.

 

If you are a Board member, please provide any responses to this list. For other readers of this list who do not have posting privileges, please send your feedback to cve@mitre.org.

 

Thank you for your advice and engagement to date. We look forward to your comments and input as we move forward with the evolution of CVE.

 

Steve Boyle

MITRE CVE Project Leader