[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: CVE program priorities



A few collected responses...

On 2015-12-22 15:22, Eugene H. Spafford wrote:
>
> The “cyber” world largely continues to operate on a “ship crap, fix it
> later” model.  Whatever we do with the CVE infrastructure is not going
> to change the causality, and eventually any response will break under
> the load, the same as the malware repository/naming model has.

My view of CVE is that is isn't directly intended to change the
causality, but to provide services and/or data (e.g., vulnerability
identification) that supports other work like vulnerability management.
 We know some current use cases for CVE, but we don't have to know all
of them.  Being able to even name/identify something is infrastructural.

Now, to the scale problem, it may be possible to scale CVE sufficiently
to meet the identification goal.  Or it may not, or it may not be
necessary even?  Anti-malware work somehow continues without centralized
identification?  We're easily above 10K/year public vulnerability
disclosures.

On 2015-12-22 14:28, Kurt Seifried wrote:
> I think we should really split the problem into:
>
> 1) assigning CVEs
>
> 2) the CVE database
>
> as #1 can happily exist with or without #2.

This is an important point.  #1 is identification, this thing is called
CVE-X.  Some amount of information (#2) is needed to perform #1 --
uniqueness determination at least.  That amount could be reduced at the
cost of more duplicates or overall less short-term quality for #2.

On 2015-12-22 15:46, Boyle, Stephen V. wrote:
> Updated list discussion topics & tasks
>
> 0. The operation of CVE
>
> 1. The prioritized scope of coverage for CVE and the associated
> Sources and Products
>
> 2. A review of CVE’s major use cases (added)
...

I'd like to suggest a step back (or possibly up) and ask if the Board
(and other interested parties?) would be willing to focus first on
problems/issues with CVE before getting into solutions.

  "Do not propose solutions until the problem has been discussed as
thoroughly as possible without suggesting any."

  http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/

I'm not particularly against any of the discussion topics (well, maybe
#1), and I don't think of it solely as a list of solutions, but the
process idea here is to really work on the describing the problem space
first.

Regards,

 - Art


Page Last Updated or Reviewed: December 30, 2015