[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Upcoming changes for CVE





On Fri, Dec 11, 2015 at 9:46 AM, Bergeron, Tiffany <tbergeron@mitre.org> wrote:
Internal research has led us to conclude that we must seek the Board's guidance on two issues before opening the discussion of adding CNAs:
1) Update on products and sources (basis for swim lanes)

Can someone explain what "swim lanes" are in this context?  
 
2) Discussion on a simpler counting approach

What does "simpler counting approach" actually mean? Like simplifying CVE SPLIT/MERGE?
 

We have begun revising the products and sources list and will be posting our recommended changes to the Board for review and comment in the near future. We are also researching the feasibility of a highly simplified counting procedure. We are not prepared to make any recommendations to the Board at this time, but plan on opening up that discussion after we complete the review of the current products and sources list.

Best Regards,
Tiffany Bergeron
The CVE Team


-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho
Sent: Saturday, December 05, 2015 11:50 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Upcoming changes for CVE
Importance: High

On Thu, 24 Sep 2015, Boyle, Stephen V. wrote:

        ^^^^^^^^^^^

: CVE Numbering Authorities (CNAs)
: -------------------------------------------

: Tiffany will be engaging with the Board, and will email to described the
: objectives and plans for updating multiple aspects of the CNA
: relationship and functioning. Our aim is to improve both sides of the
: operation and reliability of CNAs, to have CNAs evolve to take on a
: larger role in the creation of CVEs, and to ultimately expand the number
: of CNAs.

Well over 60 days, no documentation drafts available, and no mail from
Tiffany to the board regarding this.

Honestly, it should not take more than two months to write CNA guidelines,
even with all of the issues at hand.

I am specifically replying to this piece after more than one person has
approached me the last few days, expressing frustration over not getting
CVE assignments, and after being told 'no' they can't be a CNA, even when
they are well-qualified and well-suited to be one.



--

--
Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: December 17, 2015