[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities

On Mon, Dec 28, 2015 at 4:16 PM, Boyle, Stephen V. <sboyle@mitre.org> wrote:
Hi Pascal et al,

Pascal wrote:
> What is "the U.S. IT sector"?

As one would expect, there are many and varying definitions of what constitutes the "U.S. IT Sector." In this case, we picked the "U.S. IT Sector" as a starting point for further discussion because that has historically been one way to describe what CVE covers.  Essentially, we are asking the Board to decide on a definition of priorities that will serve the needs of the community that uses CVE. That definition may or may not turn out to be what some would consider the "U.S. IT Sector."

We share your questions about what would be included or excluded in such a  statement of priorities-we can reasonably expect it to engender at least as many questions as it might answer. However, If we collectively acknowledge that today's CVE cannot cover all publicly known vulnerabilities, then we need to have a shared understanding of the priorities it is to operate against. As you noted later in your comments, we need to balance what is manageable against narrowing coverage to the point of being inconsequential.

With regard to your comments about CVE operations and CNAs, we believe that the CNA pool not only should be, but needs to be opened up more broadly. How that is defined and bounded is subject to further discussion with the Board.

Will Mitre be leading this discussion? If so can you post your suggested framework for this ASAP?
We will note that, based on our experience, we believe there should be qualifications to become a CNA, ongoing measures of effectiveness, and a framework for adding and removing CNAs. In addition, each of those should be clear and publicly documented.

Do we have an ETA for doing this and a structure for this? Or is this stuff waiting on the new docs/process/etc being written by Mitre as mentioned in past?

You also touched on many of the topics and concepts we have been mulling over, such as global identifier schemes and other ways to support and govern the operation of cooperating or federated CVE-like enumerations. We will more fully address your and other's related questions and comments in another, combined response email.

Best Regards,


Kurt Seifried -- Red Hat -- Product Security -- Cloud
PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
Red Hat Product Security contact: secalert@redhat.com

Page Last Updated or Reviewed: December 29, 2015