[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE Numbering Authorities (was Re: Upcoming changes for CVE)

On Thu, 24 Sep 2015, Boyle, Stephen V. wrote:

: CVE Numbering Authorities (CNAs)
: -------------------------------------------

: The CVE CNAs are another aspect of CVE that was instantiated years ago, 
: and have proven valuable to the operation of CVE. As with the Board, the 
: operation of and requirements on CNAs have evolved significantly and 
: need to be updated. In particular, as the volume of requests for CVE IDs 
: continues to increase, the need for, definition of the role, and the 
: successful operation of CNAs becomes even more critical to CVE and the 
: community. Tiffany Bergeron of the MITRE CVE Team is taking the lead for 
: CNAs, and will be emailing this list to describe requirements and 
: objectives for CNAs and to solicit suggestions, feedback and comments 
: from the Board.
: Tiffany will be engaging with the Board, and will email to described the 
: objectives and plans for updating multiple aspects of the CNA 
: relationship and functioning. Our aim is to improve both sides of the 
: operation and reliability of CNAs, to have CNAs evolve to take on a 
: larger role in the creation of CVEs, and to ultimately expand the number 
: of CNAs.

Is there an ETA on this? Yet another CNA has stepped up to follow IBM's 
lead in using the incorrect CVE that is very clearly labeled to be 
specific to one vendor (CVE-20141-8730), all the while IBM keeps using it 
in advisory after advisory after several warnings from me, and one from 
Steve Christey I believe.

Every day this goes on, the more hassle it is for organizations trying to 
properly track vulnerabilities using the CVE 'standard'.

Additionally, I have found two more CNAs that are assigning incorrectly 
(as far as the year) and need to be reminded of the guidelines.


Page Last Updated or Reviewed: October 14, 2015