[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities

If like to hear from the MITRE Team about how they would like the board to help us collectively move forward with CVE.  

I'd also like to second Art's insightful comment about carefully defining the problem.  

Similarly, where do we want CVE to be in 5 years?   What steps do we take to get there?  

Scott 

> On Dec 29, 2015, at 12:57 PM, Art Manion <amanion@cert.org> wrote:
> 
> A few collected responses...
> 
> On 2015-12-22 15:22, Eugene H. Spafford wrote:
>> 
>> The “cyber” world largely continues to operate on a “ship crap, fix it
>> later” model.  Whatever we do with the CVE infrastructure is not going
>> to change the causality, and eventually any response will break under
>> the load, the same as the malware repository/naming model has.
> 
> My view of CVE is that is isn't directly intended to change the
> causality, but to provide services and/or data (e.g., vulnerability
> identification) that supports other work like vulnerability management.
> We know some current use cases for CVE, but we don't have to know all
> of them.  Being able to even name/identify something is infrastructural.
> 
> Now, to the scale problem, it may be possible to scale CVE sufficiently
> to meet the identification goal.  Or it may not, or it may not be
> necessary even?  Anti-malware work somehow continues without centralized
> identification?  We're easily above 10K/year public vulnerability
> disclosures.
> 
>> On 2015-12-22 14:28, Kurt Seifried wrote:
>> I think we should really split the problem into:
>> 
>> 1) assigning CVEs
>> 
>> 2) the CVE database
>> 
>> as #1 can happily exist with or without #2.
> 
> This is an important point.  #1 is identification, this thing is called
> CVE-X.  Some amount of information (#2) is needed to perform #1 --
> uniqueness determination at least.  That amount could be reduced at the
> cost of more duplicates or overall less short-term quality for #2.
> 
>> On 2015-12-22 15:46, Boyle, Stephen V. wrote:
>> Updated list discussion topics & tasks
>> 
>> 0. The operation of CVE
>> 
>> 1. The prioritized scope of coverage for CVE and the associated
>> Sources and Products
>> 
>> 2. A review of CVE’s major use cases (added)
> ...
> 
> I'd like to suggest a step back (or possibly up) and ask if the Board
> (and other interested parties?) would be willing to focus first on
> problems/issues with CVE before getting into solutions.
> 
>  "Do not propose solutions until the problem has been discussed as
> thoroughly as possible without suggesting any."
> 
>  http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/
> 
> I'm not particularly against any of the discussion topics (well, maybe
> #1), and I don't think of it solely as a list of solutions, but the
> process idea here is to really work on the describing the problem space
> first.
> 
> Regards,
> 
> - Art
Page Last Updated or Reviewed: December 30, 2015