[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: CVE Advancements

Dear Board members,

I'll note first that Art is a great setup guy. Now to the update on the
face-to-face meeting

There have been several questions, comments and suggestions (both public and
private) regarding the proposed "CVE Advancements" face-to-face meeting and
we would like to update the full Board list.

In his email of 5 January 2016, Kent Landfield proposed a "multi-day CVE
Editorial Board Engineering and Organizational workshop... open to Editorial
Board members with the major purpose of addressing many of the outstanding
issues..." in order to "get those interested in fixing the current issues,
advancing CVE and putting it on a successful path... together in the same
room for a few days to have high-bandwidth, open and honest discussions about
the way forward."

Kent's list of potential topics was:
  *   Current CVE Operational Background and needed improvements
  *   CVE CNA Rules and Guidelines
  *   Existing CNA problems and guidelines to address them
  *   CVE Coverage - Prioritized scope of coverage for CVE / associated
Sources and Products
  *   A simpler counting approach
  *   Board Responsibilities
  *   US Focus of CVE in a world where software is being developed globally
  *   The Future Management Architecture of CVE Assignment - federated CVE
  *   CVE Uses - database / NVD, others
  *   CVE Backlog
  *   Funding of CVE operations
  *   The required "quality" of final CVE entries
  *   Board membership and the process for adding members

Since Kent's email:
-	Several Board members have either explicitly or implicitly expressed
support for Kent's proposal, many Board members have not provided any opinion.
-	A link to a private poll was provided to Editorial Board members as an aid
in scheduling the meeting.
-	Questions were raised regarding the proposed 3 day duration of the meeting.

At this point, we are moving forward with arranging the face-to-face meeting.
We will post another Doodle poll, as not many Board members could make the
originally proposed dates. If people have preferred or blackout dates, please
post them to the list.

The 3 day duration was proposed in order to give us sufficient time to go
over a number of topics, plus leave travel days on either end. We are refining
a proposed agenda, based on Kent's list and other Board member suggestions,
as well as what we believe should be covered. Again, if anyone has
suggestions for topics, please post them to this list.

Best Regards,

-----Original Message-----
From: Art Manion [mailto:amanion@cert.org] 
Sent: Friday, January 29, 2016 4:15 PM
To: Boyle, Stephen V. <sboyle@mitre.org>; cve-editorial-board-list <cve-editorial-board-list@lists.mitre.org>
Subject: Re: CVE Advancements

On 2016-01-05 16:40, Boyle, Stephen V. wrote:
> How about the weeks of March 28th - April 1st, and April 11th - 15th?

April 11-15 is out for me.

Strongly support the idea of a CVE-focused meeting, within the scope of
the editorial board.  Might the board invite other experts, if we think
that would be useful?

I also like the broader vulnerability database workshop idea, and may be
able to commit to helping, but these should be separate events.


 - Art

Page Last Updated or Reviewed: January 30, 2016