[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
RE: CVE program priorities
Hi Pascal et al,
Pascal wrote:
> What is "the U.S. IT sector"?
As one would expect, there are many and varying definitions of what constitutes
the "U.S. IT Sector." In this case, we picked the "U.S. IT Sector" as a
starting point for further discussion because that has historically been
one way to describe what CVE covers. Essentially, we are asking the Board
to decide on a definition of priorities that will serve the needs of the
community that uses CVE. That definition may or may not turn out to be what
some would consider the "U.S. IT Sector."
We share your questions about what would be included or excluded in such a
statement of priorities-we can reasonably expect it to engender at least as
many questions as it might answer. However, If we collectively acknowledge
that today's CVE cannot cover all publicly known vulnerabilities, then we
need to have a shared understanding of the priorities it is to operate against.
As you noted later in your comments, we need to balance what is manageable
against narrowing coverage to the point of being inconsequential.
With regard to your comments about CVE operations and CNAs, we believe that
the CNA pool not only should be, but needs to be opened up more broadly. How
that is defined and bounded is subject to further discussion with the Board.
We will note that, based on our experience, we believe there should be
qualifications to become a CNA, ongoing measures of effectiveness, and a
framework for adding and removing CNAs. In addition, each of those should be
clear and publicly documented.
You also touched on many of the topics and concepts we have been mulling over,
such as global identifier schemes and other ways to support and govern
the operation of cooperating or federated CVE-like enumerations. We will more
fully address your and other's related questions and comments in another,
combined response email.
Best Regards,
The MITRE CVE Team