Re: CVE program priorities

• To: "Eugene H. Spafford" <gene.spafford@gmail.com>, cve-editorial-board-list<cve-editorial-board-list@LISTS.MITRE.ORG>
• Subject: Re: CVE program priorities
• From: Art Manion <amanion@cert.org>
• Date: Fri, 29 Jan 2016 16:46:16 -0500
• Authentication-Results: spf=none (sender IP is 129.83.29.3)smtp.mailfrom=LISTS.MITRE.ORG; mitre.mail.onmicrosoft.com; dkim=none (messagenot signed) header.d=none;mitre.mail.onmicrosoft.com; dmarc=none action=noneheader.from=cert.org;
• Delivery-Date: Sat Jan 30 16:41:32 2016
• In-Reply-To: <5682E56D.2030405@cert.org>
• List-Help: <mailto:LISTSERV@LISTS.MITRE.ORG?body=INFO%20CVE-EDITORIAL-BOARD-LIST>
• List-Owner: <mailto:CVE-EDITORIAL-BOARD-LIST-request@LISTS.MITRE.ORG>
• List-Subscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-subscribe-request@LISTS.MITRE.ORG>
• List-Unsubscribe: <mailto:CVE-EDITORIAL-BOARD-LIST-unsubscribe-request@LISTS.MITRE.ORG>
• References: <CY1PR09MB0873A71369CCDDE1AF00AB26C7E50@CY1PR09MB0873.namprd09.prod.outlook.com> <90DB6619-A293-44F1-A2DE-4379595EACD5@gmail.com> <5682E56D.2030405@cert.org>
• Sender: <owner-cve-editorial-board-list@lists.mitre.org>
• SpamDiagnosticMetadata: 43da9c421be74aed97248473db21fd15
• SpamDiagnosticOutput: 1:2
• User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:38.0) Gecko/20100101 Thunderbird/38.4.0

On 2015-12-29 14:56, Art Manion wrote:
> I'd like to suggest a step back (or possibly up) and ask if the Board
> (and other interested parties?) would be willing to focus first on
> problems/issues with CVE before getting into solutions.
> 
>   "Do not propose solutions until the problem has been discussed as
> thoroughly as possible without suggesting any."
> 
>   http://lesswrong.com/lw/ka/hold_off_on_proposing_solutions/

Having given it some more thought, and with some hope that we'll convene
an in-person meeting, I'd like to step back even further to what I'll
call use cases.

What is CVE used for, by whom, and how?

There is more than one answer, there is probably a "when" aspect too
(use cases change over time), and we may not know all the use cases or
be able to predict future ones.  Nonetheless, having some idea (and
agreement) on what CVE is for makes the discussion about problems
actually meaningful.  To have a problem, there is a (possibly assumed)
use that isn't being met.

So use cases, problems, solutions is the order I'm proposing, and this
should frame our in-person meeting, and even work leading up to the meeting.

Regards,

 - Art

PS, if you think I'm a process nut, I'm really not.  But I've seen
enough complicated, multi-party discussions to know that without some
process/framing, we're all spinning our wheels.

• Follow-Ups:
  • Re: CVE program priorities
    • From: Pascal Meunier <pmeunier@cerias.purdue.edu>

• Prev by Date: Re: Fwd: CVE Question
• Next by Date: collaboration tech/wiki
• Prev by thread: Re: Fwd: CVE Question
• Next by thread: Re: CVE program priorities
• Index(es):
  • Date
  • Thread