[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Upcoming changes for CVE

Hi Kurt,

You’ve raised 2 questions.  Answering each in turn:

By “swim lanes” we mean the set of products and information sources for which each CNA is responsible. They are usually only for products the CNA produces, but there may be overlaps and exceptions (such as non-vendor, third-party CNAs). A review of the current products and sources list is currently in progress and will be brought to the Board for review at a later date.

As for counting, we need CNAs to dependably apply content decisions to determine the correct number of CVE IDs to assign. We’re looking to develop simpler counting rules overall, with the intent that they can be applied by a broader range of CNAs. This will also be brought to the Board in more detail when we open up the counting discussion.

Tiffany Bergeron

The CVE Team

The MITRE Corporation

From: Kurt Seifried <kseifried@redhat.com>
Sent: Friday, December 11, 2015 10:52 AM
To: Bergeron, Tiffany
Cc: cve-editorial-board-list
Subject: Re: Upcoming changes for CVE

On Fri, Dec 11, 2015 at 9:46 AM, Bergeron, Tiffany <tbergeron@mitre.org> wrote:
Internal research has led us to conclude that we must seek the Board's guidance on two issues before opening the discussion of adding CNAs:
1) Update on products and sources (basis for swim lanes)

Can someone explain what "swim lanes" are in this context?  
2) Discussion on a simpler counting approach

What does "simpler counting approach" actually mean? Like simplifying CVE SPLIT/MERGE?

We have begun revising the products and sources list and will be posting our recommended changes to the Board for review and comment in the near future. We are also researching the feasibility of a highly simplified counting procedure. We are not prepared to make any recommendations to the Board at this time, but plan on opening up that discussion after we complete the review of the current products and sources list.

Best Regards,
Tiffany Bergeron
The CVE Team

-----Original Message-----
From: owner-cve-editorial-board-list@lists.mitre.org [mailto:owner-cve-editorial-board-list@lists.mitre.org] On Behalf Of jericho
Sent: Saturday, December 05, 2015 11:50 PM
To: cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: Upcoming changes for CVE
Importance: High

On Thu, 24 Sep 2015, Boyle, Stephen V. wrote:


: CVE Numbering Authorities (CNAs)
: -------------------------------------------

: Tiffany will be engaging with the Board, and will email to described the
: objectives and plans for updating multiple aspects of the CNA
: relationship and functioning. Our aim is to improve both sides of the
: operation and reliability of CNAs, to have CNAs evolve to take on a
: larger role in the creation of CVEs, and to ultimately expand the number
: of CNAs.

Well over 60 days, no documentation drafts available, and no mail from
Tiffany to the board regarding this.

Honestly, it should not take more than two months to write CNA guidelines,
even with all of the issues at hand.

I am specifically replying to this piece after more than one person has
approached me the last few days, expressing frustration over not getting
CVE assignments, and after being told 'no' they can't be a CNA, even when
they are well-qualified and well-suited to be one.


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: December 17, 2015